I still like 1Password but only 1Password 7 not 8.
The UI of 1Password 8 is disappointing for me sadly.
They said I could stay on 1Password 7 but I can't forever of course.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password migrants thread
- Thread starter MacBH928
- Start date
- Sort by reaction score
I still like 1Password but only 1Password 7 not 8.
The UI of 1Password 8 is disappointing for me sadly.
They said I could stay on 1Password 7 but I can't forever of course.
I installed 8 on windows, I don’t see who benefits from this change, the old app was fine even on windows. Maybe Linux users. But most of the time I only need the browser add on.I still like 1Password but only 1Password 7 not 8.
The UI of 1Password 8 is disappointing for me sadly.
They said I could stay on 1Password 7 but I can't forever of course.
That was a pain for me also with the software licenses. They do have more item types on their roadmap for Q1 of next year. Hopefully that will be one of them.
I have been following this thread for quite a while and find it very interesting as everyone tests out these products. Password security is very important and its interesting to learn what others value in a password manager. As a LastPass user for years, I've not tried any of these competing products. I've used Apple Keychain and Microsoft password synch solutions, but once I locked in on LastPass I've stayed with this product.
I do see the value in choosing where your vaults are (local versus cloud) etc. but for me personally, the main feature I am concerned about is encryption. All of these solutions offer industry grade encryption and I feel at the end of the day, no matter where you store your passwords, encryption is the most important factor.
My post is not to try and change anyone's mind or persuade them to try LastPass, but I just got this email from LastPass so thought I'd share as information that some might find interesting.
blog.lastpass.com
Keep up the great testing - I really do enjoy reading about everyone's experience and who knows, I might get persuaded to try a different solution
I do see the value in choosing where your vaults are (local versus cloud) etc. but for me personally, the main feature I am concerned about is encryption. All of these solutions offer industry grade encryption and I feel at the end of the day, no matter where you store your passwords, encryption is the most important factor.
My post is not to try and change anyone's mind or persuade them to try LastPass, but I just got this email from LastPass so thought I'd share as information that some might find interesting.
LastPass Investing Even More in Your Password Security in 2022 - The LastPass Blog
A new era for LastPass is about to begin. Today, were excited to announce our intent to establish
Keep up the great testing - I really do enjoy reading about everyone's experience and who knows, I might get persuaded to try a different solution
Definitely agree that it's been interesting seeing what other people have thought about the various applications they've tried.Keep up the great testing - I really do enjoy reading about everyone's experience and who knows, I might get persuaded to try a different solution
That's really great news, I see its starting to hit all the news wires. So logmein is spinning off LastPass I do wonder what precipitated the move
I don't know what precipitated the move. I've been with them since before they merged with LogMein, so will be interesting to see what transpires once they are on their own again.
Agreed. This has been a great thread with lots of important information. I'm really surprised that @toasted ICT would like to see it deleted.
I'm happy you said "feel like" rather than "are", as @toasted ICT said. Attacking the integrity of fellow posters is not cool, unless there is actual supporting evidence.
I was wondering if it was related to the controversy over the change to their free plan, but they claim it's not.
"LogMeIn CEO Bill Wagner says the plan to spin out LastPass wasn’t connected with the backlash over the paywall, and 75% of revenues for the password manager now came from corporate clients."
My problem with cloud storage is that I do not want to hear an employee didn't have enough sleep and clicked something and there was a bug that released everyone's passwords online. I do not know how programming works but I heard enough "leaks" already that makes me wary of cloud storage. Remember, password manager unlocks EVERYTHING and carries important data like passport and bank info. "Social Engineering hacks" will be all over the place.
On the opposite side, cloud password storage has been around for many years now and over all companies I didn't hear a password leak happening... yet.
I wonder how those corporate clients choose a password manager, between all of them they are similarly priced and do the exact samething: LastPass, 1password, Dashlane, RoboForm, password boss, list goes on
I don't know if you were privy to or were aware of the Dropbox hack, as they had a major breach... IIRC, somewhere around 68 million accounts, including passwords, were leaked.
Dropbox hack leads to leaking of 68m user passwords on the internet
Data stolen in 2012 breach, containing encrypted passwords and details of around two-thirds of cloud firm’s customers, has been leaked
BL.
Its not as safe as you think
Which Password Managers Have Been Hacked?
The biggest one that I remember is Lastpass in 2015 AND in 2011 - yep they were hacked twice.
Ah, but that's a selling point password managers that are zero knowledge (such as Bitwarden). They don't know or store your master password. They handle managing your encrypted blob that contains all of your passwords but they couldn't decrypt the blob even if they wanted to. The master password also isn't stored on your computer or put into memory on your computer. Only an encryption key based on your master password is stored in memory while your vault is unlocked.
The main problem is, that the "login" password for the web vault is the same as the password for encryption. In theory this is safe, as the password is hashed in the browser and not transferred to the client. But there could easily be a bug, that transfers the password in cleartext. The same principle applies when using any of the apps.
This could be mitigated by using different passwords for logging into the vault and for encrypting the data or by using no web storage at all...
And there could always be a bug in the encryption functions, which make it easier for an attacker to break the encryption. In case data is stored on a server in the internet, the additional layer of protection given by the fact, that the data is not accessible by an attacker, is missing.
This is why 1Password has a secret key. You need to know both in order to access the information. I'm not a fan of using it, mind you, but I see the value in its implementation.
Lastpass uses the user id and password to create encryption keys and salted hashes that are local only.
From the whitepaper
Key Derivation
When a user creates their account, we first do a hash of the LastPass Master Password using the username as the salt. This is performed on the user’s device (client-side). We use a default of 100,100 rounds of PBKDF2-SHA256 to create the encryption key, on which we perform another single round of hashing, to generate the Master Password authentication hash (or the “login hash”).
This hash is sent to the LastPass server so that we can perform an authentication check as the user is logging in. With that value, we use a salt (a random string per user) and do another 100,100 rounds of PBKDF2 hashing, in addition to hashing with Scrypt, a best-in-class hashing algorithm. When the user logs in, we compare this value to the authentication hash in our database.
This is the value that LastPass stores on its servers to check against when the user next logs in. The Master Password and encryption key are never sent to our servers. And because hashing is a one-way algorithm, LastPass cannot reverse the authentication hash that it receives.
In summary: With a good Master Password, cracking our algorithms is unrealistic, even for the strongest of computers. Key Strengthening with PBKDF2 LastPass has implemented AES 256 with thousands of rounds of PBKDF2 SHA-256, a password-strengthening algorithm, to create the user’s unique encryption key.
I think the odds of a breach getting the user name, password, and decrypting an AES 256 encrypted blob are pretty remote. Not impossible, but extremely, extremely remote
Again, not trying to persuade anyone to switch to LastPass, but a lot of discussion in this thread about cloud vault security so wanted to share how LastPass approaches the encryption of the vault.
Last edited:
This is pretty far fetched, especially considering that Bitwarden's whole business model is zero knowledge where the password doesn't need to be transferred AND it's open source with so many eyes looking at the code.
I agree that the scenario is pretty remote. However, given the recent log4j vulnerability, it shows that open source can be just as susceptible to security issues as proprietary software.
The Log4J Vulnerability Will Haunt the Internet for Years
Hundreds of millions of devices are likely affected.
I think there are two different aspects to your very valid concern. Both worry me.
A password manager company might provide an in-browser application to access the cloud-based vault
I do think of the in-browser application as a hardened application, similar in security to the desktop application. When I access xyz.1password.com (I'M NOT ADVOCATING 1PASSWORD), a Javascript application is delivered to my browser and starts running. From then on, all of my interactions are with that Javascript program, in the same way they would be when I'm using the desktop application. My login credentials are only being directly provided to that local application. (wishful thinking?)I can think of two significant, additional risks to browser applications as compared to desktop ones.
1 - Bugs or viruses in the browser, itself. Yeah, that's serious. People use all sorts of browsers. It's hard to know which ones to trust.
2 - Browser applications are delivered to one's machine far more often than a desktop applications. For example, if you clear your browser cache, you browser has to get the application again. On the other hand, a desktop application is only delivered when originally downloaded and subsequently updated to later versions. So, I guess you could say that a browser application has an elevated supply-chain vulnerability.
Browser extensions have similar risks to full blown web applications. Unfortunately, browser extensions are a risk even if you only have local vaults. Heck, for that matter, all software is a risk.
Vaults are stored in the cloud
Even though the ability to unlock the vault is completely local for a "TNO - trust no one" solution, there has to be some way for the user to supply credentials to the server to be able retrieve the vault. At the same time, those credentials presented to the server must not be usable by the server to unlock the vault. This is an easily solved cryptographic challenge. It is the same challenge for a browser-based application as it is for a desktop application.The risk here is complexity. The challenge of safely delivering the vault (or communicating at all with any server) goes away when you just have local vaults. So, bugs and design flaws are a more serious concern. As you said, if a bug allows the application to deliver credentials to the server that can also unlock the vault, then that would be very serious.
However, using a cloud service like Dropbox to store your vault is probably much worse with respect to vault access (not vault unlocking). Dropbox uses a simple password. As a contrasting example, 1Password forces your password to be unbearably complex. But, they split it up into two pieces. One piece is the master password that you memorize and type in over and over again. The other piece, the secret key, is required once per machine (or browser), is a randomly generated 32 character string, and retained by the machine to be used on your behalf. I don't know how other cloud storage password managers do this.
Please - I'm not advocating for 1Password. I'm not saying they do a better job than anyone else at dealing with the complexities of cloud storage.
Those reports are why I never used that one. That is two times too many for comfort.
Oh sure, any software is going to have issues. Bitwarden has had some minor ones they've had to correct after being audited. That's a world of difference from "the password might be sent in clear text via the Internet" though.
To a degree.
Since 1Password 6.x is an Intel binary, you'll see that it is running under Rosetta 2. 1Password 6 - as well as all Intel binaries - will run on any M1 Mac until Apple completely removes Rosetta from MacOS. When they do - which will mean all Intel support would be dropped from MaOS - 1Password 6 and any other Intel binary will effectively stop working. So to speak, you're on borrowed time. I'm in the same boat with 1Password 6, which is why I've started the migration off of it.
BL.
I don't know if you were privy to or were aware of the Dropbox hack, as they had a major breach... IIRC, somewhere around 68 million accounts, including passwords, were leaked.
Dropbox hack leads to leaking of 68m user passwords on the internet
Data stolen in 2012 breach, containing encrypted passwords and details of around two-thirds of cloud firm’s customers, has been leakedwww.theguardian.com
BL.
I keep hearing leaks are harmless metadata i do not read into it too much
If people passwords were released, then why do they even still have customers?
I thought all password managers work like that? or does the others have the keys to unlock your vaults?
I have to agree Bitwarden must be safest of all since its open source, meaning a lot review the code already and a red flag is faster to raise.