Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password migrants thread
- Thread starter MacBH928
- Start date
- Sort by reaction score
I see no evidence of KeePassium being a hobby/community project. It's a paid-for product made by KeePassium Labs. In fact, their GitHub repository clearly states that they accept no code contributions. The only contributions they accept are bug reports, help with language translation, and app store reviews.
GitHub - keepassium/KeePassium: KeePass-compatible password manager for iOS and macOS
KeePass-compatible password manager for iOS and macOS - keepassium/KeePassiumgithub.com
you are right, I am wrong.
I must have mixed keepassium with something else. Indeed, Keepassium is a paid product which might fit better in the "corporate" category and not the "hobby" category. I should have used MacPass or KeePassXC (hopefully I am not wrong about those) .
--
I do not have problem with FOSS hobby projects as long as the community behind it is big enough like Linux Mint and PiHole, but @svenmany will only trust the security of an app if it has been professionally audited which is his choice and an understandable decision.
This always irritated me. I went to fix my speakers at a local place and very casually he said "give me the password to unlock your computer to check if the speakers are working" . Note he was doing it in a back office, meaning he can download anything off the drive if he wanted to it or inject any spyware in it.
Creating a guest account is a nice circumvention method. Wiping the drive and restoring is a bit overkill but ok if you only have to do it once in the lifetime of a machine which is the more likely scenario. I do not assume you will be sending your device to Apple on weekly basis.
Not even close. I don't seem to be able to explain this to you.
I believe I only ever mentioned audits with respect to password management applications.
I only said that the assumption that open source adds safety is unwarranted and dangerous.
I would likely trust KeePassium, but I wouldn't automatically use its open source status in my evaluation. For that, I would have to see evidence of a security researcher reviewing the code and giving it a thumbs up or submitting patches which are applied.
My position on open source is a bandwagon for me. I guess I'm the only one in the band since no one on this thread has echoed my sentiment. I am always agitated when someone says that they trust an app more because it's open source. It's such a commonly stated opinion. Black and white positions are easy to have, but I wish people considered this one more deeply.
I use FileVault. I wouldn't allow someone unsupervised to have access to my unlocked disk. So, for me, a guest account isn't an option if I'm not monitoring all activity.
I stumbled across this post on KeePass’s home page, and thought it was interesting and relevant to the discussion on open source software: https://www.schneier.com/crypto-gram/archives/1999/0915.html#OpenSourceandSecurity
Here is the first portion of the post:
“Open Source and Security
As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It’s true for cryptographic algorithms, security protocols, and security source code. For us, open source isn’t just a business model; it’s smart engineering practice.”
Here is the first portion of the post:
“Open Source and Security
As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It’s true for cryptographic algorithms, security protocols, and security source code. For us, open source isn’t just a business model; it’s smart engineering practice.”
I've seen that; it's a very old quote. His assertion is that the positive effects of white hats outweigh the negative effects of black hats. I suspect in his own work that might be true. He is so highly visible and I'm guessing has lots of high-powered collaborators (though I don't know if he writes software). That quote is from 1999, way before the massive proliferation of open source applications, all trying to capitalize on open source's reputation.
These days, that quote is a gun in a child's hand.
-- Edit --
Yikes. I just reread that "child's hand" part. I didn't mean to imply @gregmac19 did anything wrong to mention the quote.
Last edited:
I tried to read it. I'll definitely make a second attempt. It's very hard for me to get through because of the way my mind works; it's too mangled by the AI that did the transcription.
Here’s a human transcribed version:
Password injection starts on page 13.
Password injection starts on page 13.
The Passwords app is underpinned by iCloud Keychain. I don’t use third party browsers myself, but I found the following article from 2023.
Using iCloud Passwords with third-party browsers on macOS
Looks like a browser extension installation is required, and no Firefox was available at that time.
From reading the above, it seems to me that the security risks of using a password manager are very low, to the point of being theoretical only.
Snooping ability is required, either of the user’s encrypted vault, and/or the user’s https traffic. These are quite high barriers to cross.
Assuming those barriers have been crossed, a great deal of snooping and password changing activity by the user would then be required. Knowing, for example, that a change to a password vault resulted in a change to a macrumours website login in particular still means that it’s very hard to figure out what that password was. Maybe if you changed it a few thousand times the attacker might be in with a fighting chance. And knowing that, following a password change, you now have one less duplicate password in your vault is useful information. But that‘s a long long way from being able to figure out how to decrypt a vault.
I feel that open source software is fine, but only if it gets heavily reviewed and updated by reputable people.
Let’s be honest here. Any developer can release open source software, and people that don’t know how to test and review code are completely in the dark about what it’s doing in addition to what it says it’s doing.
Can a closed source software company do the same thing? Sure. The motivation in this scenario is not only reputation, but money. Certainly a big motivator to get their software audited and rigorously tested.
I believe popular open source software is secure by design, especially for password vaults.
Huge user base => honeypot for hackers => no reported attacks = Secure enough
a password vault has all your logins from emails, to big social accounts, to bank accounts. Bad actors will be targeting this software the most over than say an office suite or video player app.
The same could be said for closed source software, but having it open source is a cherry on top telling us even the app developer is not doing something funny behind closed doors, at least on local run apps (not server apps).
Wowza , it already 2 million users and thats the Chrome users not the Safari ones. Looks like its going to eat a serious market share from other password manager developers. Anyways, the reviews are bad at 2.5/5 .
Thanks so much for the link to the PDF. I really thought it was a fabulous read.
Perturbation has always been a standard technique to cracking encryption. I guess having been compromised by sharing a vault with an adversary, or otherwise importing credentials provided by that adversary, allows the adversary to tweak the input to the encryption function. Then, if they can monitor changes to the encrypted vault (the output of the encryption function), then can deduce some things. Pretty amazing how much they've shown can be learned.
Showing website icons is one of the ways that makes the risk greater. I've always turned that off in 1Password because they've always warned about the slight security risk when using that feature. They did have a bug however that I reported on their forums and they have since fixed. Even if one had turned off website icons in the application, the browser extension still fetched them and showed them. The bug lasted at least a month after I reported it (maybe even longer).
I really liked one point the article ended with.
So, whenever you read on the website of some password manager that your data is safe since they use a standard, well-studied open-source encryption, you should then wonder if they're missing the point. Really, the entire password application has to be secure, not just the encryption libraries it uses. So, if you are one of the people who thinks open-source is going to save you, then the entire application had better be open source for you to be happy.
My takeaway is all the extras such as icons, checking for comprised passwords, etc, *may* cause security holes. At least in theory.
I believe your statement is accurate. Anytime an app accesses the internet, said app is open to exposure and subsequently compromise. I think a lot of people fail to think about that salient aspect when lauding all that password manager x can do.
Last edited:
why is grabbing the site icon is risky when you literally type in the password and login name in that very same website?
Checking for compromised passwords is also something the 1Password warns about as being slightly risky. I do turn that off as well.
My intuition is simplistic, but here it is.
The icon lookup and compromised password check are external accesses, not within the encrypted storage. I believe that 1Password routes those lookups over an encrypted channel to its own servers. In that way, the icon lookups are not identified as coming from the user. But, I'm not sure about that or the nature of the risks even if that were true.
The more subtle risks are the checks like duplicate password detection. If someone manages to insert into your vault a new entry, then whether it's a copy of an existing entry or not would have different effects on the new state of the encrypted vault. Constantly probing in this way seems to allow the researchers to learn things.
One password program, Dashlane, mitigated the risk by throttling the rate at which passwords can be shared. That would make the attack ineffective since the many perturbations are required to learn much of anything. LastPass decided to separate personal items from shared ones. That mitigates the risk because injected shared credentials wouldn't alter the private vaults at all.
I don't yet have any intuition about the KeePass vulnerability related to deduplication and compression.
Every URL requested, even from a secure website, exposes the DNS name to all listeners. The DNS name is transmitted in the clear and used to pick the right server certificate to set up the secure channel of communication. Even if you don't visit the sites in your vault, the access of their icons exposes your relationship with all of those sites.
Certainly using a VPN helps. Also, relaying through trusted intermediary helps, like an intermediary that might be set up by the password manager. I just started to remember something, so I looked up the 1Password page on this topic (I was curious about the setup of their intermediary).
About rich icons and your privacy | 1Password Support
Learn how 1Password provides icons for your logins and software licenses.
They maintain the icons in caches stored on two third-party servers. They do warn that they don't control those cache servers and that's a non-trivial exposure.
Also, they warn that the icons retrieved are not part of your vault. So a compromise of your device or backup of your device could expose those icons.
Why is it bad to have an adversarial third-party know that you have a relationship with a ton of websites? I would worry about identify theft and, more generally, the use of the information as part of a more in-depth strategy to compromise my accounts.
Codebook v5 which just dropped may no longer be a viable alternative to 1Password. I've had Codebook for 3 years, and was happy with it, I think they just succumbed to the subscription model. I'm waiting for an answer at their support site.
They responded to your posted concern on their forums within 50 minutes. Seems a non-issue.
Um, the good news is that this update is not supposed to break personal vaults, but there is an issue on my MBP, no sync button. I'll report back in the other thread when it's resolved...
Update: Issue fixed see other thread.
Note: I'm very happy with Codebook. Yes, in some ways 1Password is more polished, but what 1P does not have are personal vaults, and does require a subscription if you want to remote sync devices. 🤔
Last edited:
Just an update for what its worth....
I did go ahead and dump keepassXC on windows and switch to Strongbox Sync in July.
I have had zero problems with Strongbox Sync.
(mind you as I did say in my previous post I have had ZERO problems with iCloud sync too.... but maybe I was lucky with that)