1Password migrants thread

[Pag46]

So how I understand cloud backing up works is there have servers around the globe. Proton is based in switzerland so thats where their main servers are but I doubt they have offices around the globe like in Malaysia and Brazil.

I think maybe what they mean is they rented a whole server in some other host provider and only they have access to it for administration but I doubt they are physically there or own the establishment.

As far as I know, the main data center is in Zurich, but they own data centers in Germany and Norway as well, mostly to increase resilience to network problems.
I knew they they only store their customer data in their data centers, but I might be wrong, of course.
What you can find on their web page (e.g. here: https://proton.me/support/mail ) are statements like:

• Strong physical security: We've invested heavily in owning and controlling our own server hardware. Our data centers are located at highly secure sites that require biometric access.

If the app is open source, doesn't it make it easier for hackers to find the flaw in the code? Given there is no known attacks means no hacker was able to find any flaws?

so kind of the open source methodology audits itself?

This is a philosophical question!
The world runs on open source software. Linux, from the kernel to the GNU software stack, is fully open source. The encryption libraries that you use every day when accessing any web page (for example openssl) are open source.
They have a history of security problems found, for sure, but being open source, finding problems can be done by both good and bad entities. If a potential problem is identified by someone who does not want to exploit it, it is reported to the community, normally without advertising the problem itself before a patch is released.
If a software is closed source, apart from the commissioned auditing process, which is the same for OSS, only bad actors can have the motivation to break the laws and look for a way to access the code and find its problems. It’s an expensive thing to do, so when they find a problem, they exploit it or sell it.

But again it is more a philosophical question.

 

[svenmany]

Given there is no known attacks means no hacker was able to find any flaws?

so kind of the open source methodology audits itself?

I quite liked @Pag46's answer to this, as a general evaluation of the potential advantage open source has over closed source. I would argue, though, that this advantage is rarely realized.

I started using open source software in the early 90's and was a big fan. But back then, open source's advantage came from active developer collaboration on highly visible projects. I personally fussed over a bunch of them, providing feedback at times. Open source developed a well-deserved great reputation. That reputation is now casually applied to any project that advertises itself as open source. At this point in time, the blind acceptance of the advantage of open source is just a religion. The more critical evaluations have pointed out the incredible dangers that come from open source code and the blanket trust people put in it. You can duckduck "dangers of open source software" and read up.

Deciding if an open source project benefits from that status has to be done on a project-by-project basis. One has to confirm that there is active participation from a broader community than just a handful of developers. I do not yet see evidence of that with Proton Pass when I look at GitHub.

Regarding the conclusion that open source code audits itself; I don't think so. Vulnerable open source code that seems to have not been exploited might:

• not have been reviewed by a smart enough hacker
• was reviewed but not deemed worth the effort to exploit
• or was reviewed, exploited, and the exploit not noticed

If the project is a valuable target, the third option is the most likely. Even if the exploit is discovered, it could be too late for some victims.

None of this should be interpreted as critical of Proton Pass or its developers. I know nothing about them or their competence in the area of password management.

 

[MacBH928]

Deciding if an open source project benefits from that status has to be done on a project-by-project basis. One has to confirm that there is active participation from a broader community than just a handful of developers. I do not yet see evidence of that with Proton Pass when I look at GitHub.

There is 2 kinds of open source.

1) Corporate: This has a funding and paid developers behind it just like any closed source project. The company chooses to make it open source. Ex. Firefox, Linux Foundation, Bitwarden, Proton. The FOSS part is just a cherry on top.

2) Community: This is the part where it is made by volunteers and has no audits. This type of FOSS project is where your worries come from. Ex. uBlockOrigin, KeePass, Pihole

 

[MacBH928]

New Contender

PassBolt !

This guy doesn't seem to like it though. Its free if you hosted it yourself. Not for the average user but something to consider for the "on my device" warriors.

 

[DCIFRTHS]

This is one of my favorite threads

 

[svenmany]

There is 2 kinds of open source.

1) Corporate: This has a funding and paid developers behind it just like any closed source project. The company chooses to make it open source. Ex. Firefox, Linux Foundation, Bitwarden, Proton. The FOSS part is just a cherry on top.

2) Community: This is the part where it is made by volunteers and has no audits. This type of FOSS project is where your worries come from. Ex. uBlockOrigin, KeePass, Pihole

Almost all projects that have corporate involvement have no audits. I can't quite tell if you were implying otherwise.

There are thousands of open source projects that don't fit cleanly into your two categories. So many are a mix of unpaid interested parties and employees of some company (where the company uses the software and needs problems fixed or its direction influenced). Certainly, your classification of Linux (implied by "Linux Foundation") as corporate, with some company choosing to make it open source, is extremely off the mark.

 

[Apple_Robert]

New Contender

PassBolt !

This guy doesn't seem to like it though. Its free if you hosted it yourself. Not for the average user but something to consider for the "on my device" warriors.

It’s a corporate based app.

 

[svenmany]

New Contender

PassBolt !

This guy doesn't seem to like it though. Its free if you hosted it yourself. Not for the average user but something to consider for the "on my device" warriors.

I've never even heard of it, but it seems very interesting.

This is a good example of an open-source project that is a mix of community and company. The company is based in Luxembourg. But, I took a look at their community edition GitHub repository that their site links to (they have other repositories), and it has 345 contributors, a bunch of issues (mostly resolved), and an active community forum.

I believe that this application seriously benefits from its open-source approach.

 

[MacBH928]

Almost all projects that have corporate involvement have no audits. I can't quite tell if you were implying otherwise.

There are thousands of open source projects that don't fit cleanly into your two categories. So many are a mix of unpaid interested parties and employees of some company (where the company uses the software and needs problems fixed or its direction influenced). Certainly, your classification of Linux (implied by "Linux Foundation") as corporate, with some company choosing to make it open source, is extremely off the mark.

There seems to be a misunderstanding. What you are referring to is still consider community project where some employees of a company drop in sometimes to fix things. I am not talking about "corporate involvement" I am talking about the corporate is actually the one building the software.

They have dedicated paid employees to work on the software exactly like closed sourced software corporates. How is it different that Mozilla have 1000 paid employees with open source apps less secure than Readler that has 250 employees with closed software? Odoo is another foss app company that employees 2800 people. Those are not "community" projects based off donations.

 

[svenmany]

There seems to be a misunderstanding. What you are referring to is still consider community project where some employees of a company drop in sometimes to fix things. I am not talking about "corporate involvement" I am talking about the corporate is actually the one building the software.

They have dedicated paid employees to work on the software exactly like closed sourced software corporates. How is it different that Mozilla have 1000 paid employees with open source apps less secure than Readler that has 250 employees with closed software? Odoo is another foss app company that employees 2800 people. Those are not "community" projects based off donations.

I don't know how relevant to the discussion is your opinion on that there are two distinct categories of open source projects. You've gained some impression of that world that is radically different than mine. I'll just leave you to it.

Open-source software is not inherently dangerous - the blanket acceptance that being open-source makes it safer is dangerous. Since we were talking about Proton Pass, I guess my belief was being applied to your first category of project (the corporate one) since the Proton Pass repositories are controlled by a company.

 

[MacBH928]

Open-source software is not inherently dangerous - the blanket acceptance that being open-source makes it safer is dangerous.

This is correct.

Since we were talking about Proton Pass, I guess my belief was being applied to your first category of project (the corporate one) since the Proton Pass repositories are controlled by a company.

yes, their team is made of professionals working full time on it. Unlike something like Keepassium .

 

[svenmany]

This is correct.



yes, their team is made of professionals working full time on it. Unlike something like Keepassium .

I really don't know what you mean. If I read that literally, you are saying that the developers (maybe there's only one) of Keepassium are not professionals or are the only spending part of their time working on it. You are also saying the the developers working on Proton Pass don't spend any of the time working on other projects. You must be saying something else.

 

[JamesMay82]

I value pretty. I use 1Password (the full application) all day long and enjoy using it, partially because it is appealing to look at. There are certain applications that, as Marie Kondo says, spark joy when I use them. The 1Password application is one of those.

Unfortunately, the 1Password browser extension doesn't spark much. I've looked at BitWarden as a possible alternative to 1Password; it doesn't have any sparks.

But, we're all different in our tastes and how much aesthetics affect us.

I’ve just got a fresh install on my laptop and not installed 1password due to how flakey the browser extension is.

I’ve started adding key passwords onto apples password app and must admit I really like. It intergrates well and saves the passwords easier in safari. I think i might make the move full time

 

[johannnn]

I’ve just got a fresh install on my laptop and not installed 1password due to how flakey the browser extension is.

I’ve started adding key passwords onto apples password app and must admit I really like. It intergrates well and saves the passwords easier in safari. I think i might make the move full time

Is it possible to somehow save like my grandmothers PIN codes or whatever? Even if there’s no note feature, is it possible to create a login, but skip the URL and password section and only use the notes section?

 

[jido]

Is it possible to somehow save like my grandmothers PIN codes or whatever? Even if there’s no note feature, is it possible to create a login, but skip the URL and password section and only use the notes section?

I used something like grandma.local as the URL. It is required field. Why don’t you put the PIN code as the password?

 

[k.alexander]

I used something like grandma.local as the URL. It is required field. Why don’t you put the PIN code as the password?

URL is not a required field.
I think just the password is but you can just type a space bar in there, and the rest can be a text note in the note field.

Still a far cry from 1Pw.

 

[MacBH928]

I really don't know what you mean. If I read that literally, you are saying that the developers (maybe there's only one) of Keepassium are not professionals or are the only spending part of their time working on it.

Yes, its a hobby/community project.

You are also saying the the developers working on Proton Pass don't spend any of the time working on other projects. You must be saying something else.

Proton Pass team are paid full time employees on Proton Pass project.

 

[LV426]

Monday 16 September 2024. The Apple Passwords app is finally out of beta. Hurrah!

 

[hirsthirst]

came here to see if there was a surge of interest in iOS18 / Passwords app - I upgraded iPhone / iPad / Macbook last night & saw that Passwords will import a CSV file.

anyone moving?

 

[svenmany]

Yes, its a hobby/community project.



Proton Pass team are paid full time employees on Proton Pass project.

I see no evidence of KeePassium being a hobby/community project. It's a paid-for product made by KeePassium Labs. In fact, their GitHub repository clearly states that they accept no code contributions. The only contributions they accept are bug reports, help with language translation, and app store reviews.

GitHub - keepassium/KeePassium: KeePass-compatible password manager for iOS and macOS

KeePass-compatible password manager for iOS and macOS - keepassium/KeePassium

github.com

 

[LV426]

came here to see if there was a surge of interest in iOS18 / Passwords app - I upgraded iPhone / iPad / Macbook last night & saw that Passwords will import a CSV file.

anyone moving?

Moved this morning. Most of my passwords were already in keychain to begin with so it wasn't a big deal and I didn't need to risk anything with a CSV file. I had a few identity records in 1password such as passports, driving licences and credit card details. I just created a folder in Apple Notes and created locked notes for those. After that, it was Adios Muchachos 1password.

 

[berb]

Moved this morning. Most of my passwords were already in keychain to begin with so it wasn't a big deal and I didn't need to risk anything with a CSV file. I had a few identity records in 1password such as passports, driving licences and credit card details. I just created a folder in Apple Notes and created locked notes for those. After that, it was Adios Muchachos 1password.

What happens if when you send your Mac in for service, especially to a third party, and they ask for the User password? That's still my issue with using the same password to unlock my Mac and my password manager.

 

[svenmany]

What happens if when you send your Mac in for service, especially to a third party, and they ask for the User password? That's still my issue with using the same password to unlock my Mac and my password manager.

I've never had to give my password when sending my computer in for service (it's always been to Apple), as long as I've had no firmware password set. They do not need to use your disk to service other parts of the computer. If my disk were having a problem, I would reset the computer and then restore after service is complete. I know that could be a pain, but I have so much content on my disk that I wouldn't risk giving others access to it.

 

[LV426]

What happens if when you send your Mac in for service, especially to a third party, and they ask for the User password? That's still my issue with using the same password to unlock my Mac and my password manager.

This request happened to me on one occasion. No way on Earth would I hand over my credentials to someone. I simply created a user account for them to use.

 

[KeePassium]

yes, their team is made of professionals working full time on it. Unlike something like Keepassium .

Hmm, that was unprovoked.

I see no evidence of KeePassium being a hobby/community project. It's a paid-for product made by KeePassium Labs.

Yep. Let me share some background:

• KeePassium started as a solo side project in 2018. From day one, though, it had a sound business model.
• Grew into a full-time job in 2020.
• Registered as a company in 2023.

Self-sustainable and doing well, thanks to thousands of paying customers. Not looking for external funding; this slows down our growth, but gives maximum freedom. Today, there are two paid developers and hundreds of users providing feedback. So yes, one can call it a community project, in a sense, but definitely not a hobby