1Password migrants thread

[Apple_Robert]

I just noticed that the Minimalist Password Manager hasn't had an update in a year. As someone who paid for a license, I find this concerning and just sent them an email asking why there has been no update and that if they are abandoning the app, let me know so I can move on.

 

[MacBH928]

this is part of the reason I do not use obscure or 1-developer apps, you can't rely on it as any personal issues with the developers will halt the app/service.

 

[Apple_Robert]

this is part of the reason I do not use obscure or 1-developer apps, you can't rely on it as any personal issues with the developers will halt the app/service.

That applies to any business. Your one-developer rhetoric is a logical fallacy.

 

[svenmany]

I'm satisfied with 1Password's handling of the clickjacking vulnerability. They've added a simple option which causes a quick confirmation dialog when you use the program from the web elements. This completely eliminates the vulnerability discussed in the clickjacking document.

I think this is a better solution than chasing each clickjacking vulnerability that arises in the future. For example, the RoboForm release notes which Toth references as having fixed the vulnerability says "Fixed one more click-jacking vulnerability reported by reviewers." I suspect, as 1Password has said in their blog post on the topic, there is no comprehensive solution, and it will be a constant battle to "fix one more click-jacking vulnerability" into the future.

 

[maflynn]

'm satisfied with 1Password's handling of the clickjacking vulnerability.

I didn't hear about that, and I had to google it. I'm reading the blog now and yeah. I'm happy to see they're quite on the uptake on this and are dealing with it.

 

[max2]

I'm satisfied with 1Password's handling of the clickjacking vulnerability. They've added a simple option which causes a quick confirmation dialog when you use the program from the web elements. This completely eliminates the vulnerability discussed in the clickjacking document.

I think this is a better solution than chasing each clickjacking vulnerability that arises in the future. For example, the RoboForm release notes which Toth references as having fixed the vulnerability says "Fixed one more click-jacking vulnerability reported by reviewers." I suspect, as 1Password has said in their blog post on the topic, there is no comprehensive solution, and it will be a constant battle to "fix one more click-jacking vulnerability" into the future.

Clickjacking vulnerability is far worst than being discussed. Not the best similar example but like ad blockers and YouTube website video ads on a Mac or PC. Not even close to the same thing but my point is difficult to stay ahead of sometimes for developers. Thankfully there is more than one or even two developers with at least half of programs / apps.

 

[eltoslightfoot]

Is clickjacking an issue if you don't have your browser plugin (bitwarden in this case) auto log in for you? If I select it every time, I am fine anyway, right?

 

[svenmany]

Is clickjacking an issue if you don't have your browser plugin (bitwarden in this case) auto log in for you? If I select it every time, I am fine anyway, right?

I assume that: If "auto log in" is set then the add-on clicks on some submit button automatically. If "auto log in" is not set, then the data is filled in the fields, but it's up to you to click on a submit button. If that's what "auto log in" means, then turning that off does NOT save you.

If a highjacked click fills data into the fields, it's already too late. Once a malicious field receives input data, it can take action on that data. Avoiding explicit submission of that data via some other user or add-on triggered event doesn't help that much.

 

[eltoslightfoot]

I assume that: If "auto log in" is set then the add-on clicks on some submit button automatically. If "auto log in" is not set, then the data is filled in the fields, but it's up to you to click on a submit button. If that's what "auto log in" means, then turning that off does NOT save you.

If a highjacked click fills data into the fields, it's already too late. Once a malicious field receives input data, it can take action on that data. Avoiding explicit submission of that data via some other user or add-on triggered event doesn't help that much.

Well, it won't even do the part where it puts it into the fields without me agreeing. I have to select the box and select the account I want to use...but I would have to know the site is compromised...

 

[svenmany]

Well, it won't even do the part where it puts it into the fields without me agreeing. I have to select the box and select the account I want to use...but I would have to know the site is compromised...

As you click on "Accept cookies" or close an advertisement popup, you don't realize you're actually clicking on the various locations in the Bitwarden widgets, selecting an offered entry. Toth points out that it is easy for the malicious code to move the add-on's hidden widget to keep it strategically placed under where you're clicking. So, unless Bitwarden is preventing their widget from being hidden (so that you know you're clicking on it), there is a risk.

1Password's designers just assume that someone will eventually figure out a new way to hide an add-on's widget. So instead 1Password offers you the option to turn on a confirmation dialog. The confirmation dialog that 1Password triggers is not running within the web rendering engine at all. It can't be hidden by malicious code on the web site. My understanding is that when that dialog pops up, all execution within the web page is suspended until you respond to it. The extension's web elements trigger code which probably calls this:

Window: confirm() method - Web APIs | MDN

window.confirm() instructs the browser to display a dialog with an optional message, and to wait until the user either confirms or cancels the dialog.

developer.mozilla.org

 

[iosuser21]

I just noticed that the Minimalist Password Manager hasn't had an update in a year. As someone who paid for a license, I find this concerning and just sent them an email asking why there has been no update and that if they are abandoning the app, let me know so I can move on.

Did you get a response to this? On the verge of moving to apple passwords with access app and proton pass as a backup for cross platform use.

Have a funny feeling strongbox wont last now that it under different ownership.

 

[Apple_Robert]

Did you get a response to this? On the verge of moving to apple passwords with access app and proton pass as a backup for cross platform use.

Have a funny feeling strongbox wont last now that it under different ownership.

I did.

————

Hello,

Thanks for reaching out and for your purchase. It’s much appreciated!

Rest assured we are still developing Minimalist as it is our personal password manager and we use it everyday.

That being said, we have recently slowed down development and will likely continue at our new pace. This is primary because Minimalist has matured (mostly) into what we want it to be, and the remaining features we’d like to add are somewhat complex and will take time and effort to get right. These include:

• Shared Vaults (in progress)
• Passkey support (next up)
• One-Time Password AutoFill support (iOS 17 / macOS 14 and up)

Additionally, we will continue pushing out bug fixes as needed when new versions of iOS / macOS break things.

In summary, if you’re looking for a constant stream of updates, new features, and new designs, you’ll probably want to look elsewhere. However if you’re looking for a stable password manager to get the job done without changing too much over the years, Minimalist is your best bet!

Thanks again and take care!

- Jeffrey

 

[MacBH928]

-redacted-

 

[Mr. Heckles]

I checked on Enpass (my choice) website and its not working. Not sure if blip or the business went belly up. On iOS last update was 1 month ago.

walls are closing in on local storage password managers. the 2 killer features for me were local storage and the mini assistant. I checked Codebook and 1password and both seem to be taken out the mini assistant. Also codebook does not seem to have an option for local sync (desktop to phone) only via cloud subscription. Can any one deny or confirm?

Working for me: https://www.enpass.io/

 

[eltoslightfoot]

As you click on "Accept cookies" or close an advertisement popup, you don't realize you're actually clicking on the various locations in the Bitwarden widgets, selecting an offered entry. Toth points out that it is easy for the malicious code to move the add-on's hidden widget to keep it strategically placed under where you're clicking. So, unless Bitwarden is preventing their widget from being hidden (so that you know you're clicking on it), there is a risk.

1Password's designers just assume that someone will eventually figure out a new way to hide an add-on's widget. So instead 1Password offers you the option to turn on a confirmation dialog. The confirmation dialog that 1Password triggers is not running within the web rendering engine at all. It can't be hidden by malicious code on the web site. My understanding is that when that dialog pops up, all execution within the web page is suspended until you respond to it. The extension's web elements trigger code which probably calls this:

Window: confirm() method - Web APIs | MDN

window.confirm() instructs the browser to display a dialog with an optional message, and to wait until the user either confirms or cancels the dialog.

developer.mozilla.org

Update on this. I researched this pretty thoroughly and I think you are spot on. I switched to 1password over this (which I never said I would do once they went subscription). Thank you for bringing it to my attention.

 

[svenmany]

I checked Codebook and 1password and both seem to be taken out the mini assistant.

I don’t know what you mean; I might not know what you mean by mini assistant.

1Password has a small helper application that sits in the menu bar. From there I can launch the full app, open settings, or open the Quick Access interface. From Quick Access I have immediate access to all my content. The menubar app handles the various system shortcuts. This allows me to get to Quick Access with a key combination.

Do you expect more from a mini assistant that is not within that functionality?

 

[gregmac19]

I checked Codebook and 1password and both seem to be taken out the mini assistant. Also codebook does not seem to have an option for local sync (desktop to phone) only via cloud subscription. Can any one deny or confirm?

I haven’t a clue what you checked, but Codebook hasn’t changed. Secret Agent, which is what I guess you mean by “mini assistant”, is still there, as is manual sync over WiFi.

 

[svenmany]

Update on this. I researched this pretty thoroughly and I think you are spot on. I switched to 1password over this (which I never said I would do once they went subscription). Thank you for bringing it to my attention.

Thanks for double-checking me on that. I am also bothered by subscriptions and try to avoid them. I understand the subscription comment was only a minor point you made, but I'll take that as an opening 🙂

In the case of a password manager, I want to pay regularly.

I want a password company that invests heavily in constant research into the risks and security techniques to address those. I feel like I'm paying for more than a license to their software. When I give them money, I feel I'm paying for the research that will be applied to the next release. The worst thing I can imagine is a small software shop where the developers have to have other software jobs to make enough money.

Much of the work they do will have no concrete output, but I still want it done. They have to go to conferences, exchange ideas with their security peers in the industry, evaluate changing operating environments (OS, browser), and evaluate new threats. They also have to invest heavily in communication through posts and heavy forum participation.

Security professionals aren't cheap. This is not commodity software they're writing.

Other people are more casual. It would take a lot of definitions and study to determine whether being casual is good enough or what level of casual is optimal. A very casual attitude towards passwords might be incompatible with paying for password management at all. I'm not casual and I think about the nightmare of a password breach a lot.

BitWarden offers a version of their software for free. I only trust it because I know the company makes money from their paying subscribers. I hope people who can easily afford to pay don't just use the free version; someone has to fund the constant work.

 

[eltoslightfoot]

Thanks for double-checking me on that. I am also bothered by subscriptions and try to avoid them. I understand the subscription comment was only a minor point you made, but I'll take that as an opening 🙂

In the case of a password manager, I want to pay regularly.

I want a password company that invests heavily in constant research into the risks and security techniques to address those. I feel like I'm paying for more than a license to their software. When I give them money, I feel I'm paying for the research that will be applied to the next release. The worst thing I can imagine is a small software shop where the developers have to have other software jobs to make enough money.

Much of the work they do will have no concrete output, but I still want it done. They have to go to conferences, exchange ideas with their security peers in the industry, evaluate changing operating environments (OS, browser), and evaluate new threats. They also have to invest heavily in communication through posts and heavy forum participation.

Security professionals aren't cheap. This is not commodity software they're writing.

Other people are more casual. It would take a lot of definitions and study to determine whether being casual is good enough or what level of casual is optimal. A very casual attitude towards passwords might be incompatible with paying for password management at all. I'm not casual and I think about the nightmare of a password breach a lot.

BitWarden offers a version of their software for free. I only trust it because I know the company makes money from their paying subscribers. I hope people who can easily afford to pay don't just use the free version; someone has to fund the constant work.

Also a great point as even Bitwarden has nothing anywhere that I could find in regard to clickjacking. I guess the higher cost does indeed help. 😉 And it really isn't that much at this point compared to some others.

 

[gregmac19]

Also a great point as even Bitwarden has nothing anywhere that I could find in regard to clickjacking. I guess the higher cost does indeed help. 😉

Per Toth (https://marektoth.com/blog/dom-based-extension-clickjacking/) who found the clickjacking vulnerability, it is fixed in Bitwarden.

The problem with most password programs is that they use browser plug-ins, which as the clickjacking incident shows, is a bad idea.

 

[gregmac19]

BitWarden offers a version of their software for free. I only trust it because I know the company makes money from their paying subscribers...

Interestingly, you trust Bitwarden but seem to distrust Codebook. However, at least until the latest updates, Codebook was more secure to use than Bitwarden or 1Password, as Codebook has never used browser plug-ins.

 

[svenmany]

The problem with most password programs is that they use browser plug-ins, which as the clickjacking incident shows, is a bad idea.

It doesn't show that. All techniques of moving credentials into a web page fields have risks.

 

[gregmac19]

It doesn't show that. All techniques of moving credentials into a web page fields have risks.

As you know, concerns were expressed earlier in this thread about browser plug-ins, and those fears have now been realized with the clickjacking problem. In contrast, I have never heard of any issues with the Apple’s Password AutoFill.


A few things of note from the Toth document I referenced above:

Bitwarden:

“Do you think that stealing a payment card or personal data with a single click is a high severity issue?
Bitwarden sees this vulnerability slightly differently. Maybe it could be reason why it was not fixed even after more than 4 months...”

This reminds me of Bitwarden’s slowness to react to the kdf iterations issue.

1Password:

In the document that was updated two days ago (9/11/2025), Toth stills lists 1Password as vulnerable.

 

[MacBH928]

Working for me: https://www.enpass.io/View attachment 2548049

ay-yay-yay-yay...my culpa , I was checking enpass.com not enpass.io . Thanks for correcting me.

I don’t know what you mean; I might not know what you mean by mini assistant.

1Password has a small helper application that sits in the menu bar. From there I can launch the full app, open settings, or open the Quick Access interface. From Quick Access I have immediate access to all my content. The menubar app handles the various system shortcuts. This allows me to get to Quick Access with a key combination.

Do you expect more from a mini assistant that is not within that functionality?

I haven’t a clue what you checked, but Codebook hasn’t changed. Secret Agent, which is what I guess you mean by “mini assistant”, is still there, as is manual sync over WiFi.

yes these are the ones i am talking about. Each call it a different name. I went to their sites and didn't see it featured (maybe I missed it) so I thought maybe they "deprecated" it. Glad they are still around. Thanks for the confirmation.

 

[MacBH928]

Thanks for double-checking me on that. I am also bothered by subscriptions and try to avoid them. I understand the subscription comment was only a minor point you made, but I'll take that as an opening 🙂

In the case of a password manager, I want to pay regularly.

I want a password company that invests heavily in constant research into the risks and security techniques to address those. I feel like I'm paying for more than a license to their software. When I give them money, I feel I'm paying for the research that will be applied to the next release. The worst thing I can imagine is a small software shop where the developers have to have other software jobs to make enough money.

Much of the work they do will have no concrete output, but I still want it done. They have to go to conferences, exchange ideas with their security peers in the industry, evaluate changing operating environments (OS, browser), and evaluate new threats. They also have to invest heavily in communication through posts and heavy forum participation.

Security professionals aren't cheap. This is not commodity software they're writing.

Other people are more casual. It would take a lot of definitions and study to determine whether being casual is good enough or what level of casual is optimal. A very casual attitude towards passwords might be incompatible with paying for password management at all. I'm not casual and I think about the nightmare of a password breach a lot.

BitWarden offers a version of their software for free. I only trust it because I know the company makes money from their paying subscribers. I hope people who can easily afford to pay don't just use the free version; someone has to fund the constant work.

You are correct in that sense, but not all companies invest rationally in their security like LastPass. I'd say 1PW is pretty serious with their security though.