Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
I have to agree Bitwarden must be safest of all since its open source, meaning a lot review the code already and a red flag is faster to raise.

Something like that is the prevailing wisdom. But, just being open source doesn't imply that a lot of people are looking at the code. It also doesn't imply that serious security experts are reviewing things with any regularity, since they probably have day jobs.

The actual wisdom is that an open source project that has a lot of competent people working on it or reviewing it is safer than a closed source one. Bitwarden is a pretty high profile project, so we might be good. They have 13 GitHub repositories and pull requests for each. Casually looking around, I don't see any activity addressing security flaws, but tons and tons of activity on much more trivial stuff. But still, lots of activity means lots of eyes on the code.

As an aside, I notice that the most recent pull request for the desktop client was to upgrade to a later Electron release. I guess that could be viewed as security related; it might make things worse or better from a security point of view. :) People on this thread have raised a concern about the security of Electron. So, Bitwarden desktop inherits their concern.
 
  • Like
Reactions: macintoshmac
The actual wisdom is that an open source project that has a lot of competent people working on it or reviewing it is safer than a closed source one. Bitwarden is a pretty high profile project, so we might be good. They have 13 GitHub repositories and pull requests for each. Casually looking around, I don't see any activity addressing security flaws, but tons and tons of activity on much more trivial stuff. But still, lots of activity means lots of eyes on the code.
Oh absolutely. The community and developer engagement on the project was one of the selling points for me.
 
I have to agree Bitwarden must be safest of all since its open source, meaning a lot review the code already and a red flag is faster to raise.

I'd say that Bitwarden, Enpass, and Codebook are the safest, due to them all using SQLCipher, which is FOSS as well, and peer reviewed on top of that.

BL.
 
  • Like
Reactions: MacBH928
I'd say that Bitwarden, Enpass, and Codebook are the safest, due to them all using SQLCipher, which is FOSS as well, and peer reviewed on top of that.

BL.
There are layers to these software projects. My understanding is that Codebook uses SQLCipher and SQLCipher uses OpenSSL. The SQLCipher website asserts that OpenSSL is peer reviewed. Is that what you mean by peer reviewed?

Many projects use OpenSSL. The famous Heartbleed Bug was in that library. Based on your post, I was curious whether 1Password used OpenSSL as well, so I did a search. I found a surprising post on 1Password forums in August of this year https://1password.community/discussion/comment/607995#Comment_607995

The part of the post related to OpenSSL was about them moving away from it. "Rework of the encryption to avoid using older OpenSSL libraries." and "Encryption uses the well-regarded open-source Ring library." I don't know anything about Ring.

I don't know what to make of the advertisement that OpenSSL is peer reviewed. I think I understand what "peer reviewed" means with regard to journal submissions; an article could be rejected if it doesn't pass peer review. But in the case of a software project, peer reviews could just expose weaknesses that don't get addressed. Not all reviews are glowing. Perhaps some of those reviews motivated 1Password to move away from OpenSSL.

Any ideas?
 
There are layers to these software projects. My understanding is that Codebook uses SQLCipher and SQLCipher uses OpenSSL. The SQLCipher website asserts that OpenSSL is peer reviewed. Is that what you mean by peer reviewed?

Many projects use OpenSSL. The famous Heartbleed Bug was in that library. Based on your post, I was curious whether 1Password used OpenSSL as well, so I did a search. I found a surprising post on 1Password forums in August of this year https://1password.community/discussion/comment/607995#Comment_607995

The part of the post related to OpenSSL was about them moving away from it. "Rework of the encryption to avoid using older OpenSSL libraries." and "Encryption uses the well-regarded open-source Ring library." I don't know anything about Ring.

I don't know what to make of the advertisement that OpenSSL is peer reviewed. I think I understand what "peer reviewed" means with regard to journal submissions; an article could be rejected if it doesn't pass peer review. But in the case of a software project, peer reviews could just expose weaknesses that don't get addressed. Not all reviews are glowing. Perhaps some of those reviews motivated 1Password to move away from OpenSSL.

Any ideas?

Both Codebook and SQLCipher are coded/developed by Zetetic.


From that:

SQLCipher was originally developed and is currently maintained by Zetetic LLC. The public release of SQLCipher was released in November, 2008. At first, SQLCipher was solely used as the security backend for our password manager and data vault, Codebook. However, with it's its small footprint and excellent performance, it quickly became a popular security tool, especially for mobile developers. SQLCipher is ideal for protecting application data of all kinds. SQLCipher uses peer-reviewed cryptographic providers and algorithms to ensure that all data in encrypted databases is secured. Simple configuration and good default security practices reduce the burden on developers implementing security solutions. Likewise, broad platform support across iOS, Android, Windows, macOS, and Linux environments, with cross-platform database compatibility, ensures that SQLCipher will work anywhere it's needed. For these reasons, SQLCipher is now one of the most widely used secure database solutions available, protecting data for thousands of applications on hundreds of millions of devices.

If the code for those providers is untouched, then those making up SQLCipher would be peer reviewed, let alone FOSS. If they are peer reviewed, then by extension one could say that parts of SQLCipher are peer reviewed. How much else outside of those providers is peer reviewed is a good question.

BL.
 
Something like that is the prevailing wisdom. But, just being open source doesn't imply that a lot of people are looking at the code. It also doesn't imply that serious security experts are reviewing things with any regularity, since they probably have day jobs.

The actual wisdom is that an open source project that has a lot of competent people working on it or reviewing it is safer than a closed source one. Bitwarden is a pretty high profile project, so we might be good. They have 13 GitHub repositories and pull requests for each. Casually looking around, I don't see any activity addressing security flaws, but tons and tons of activity on much more trivial stuff. But still, lots of activity means lots of eyes on the code.

As an aside, I notice that the most recent pull request for the desktop client was to upgrade to a later Electron release. I guess that could be viewed as security related; it might make things worse or better from a security point of view. :) People on this thread have raised a concern about the security of Electron. So, Bitwarden desktop inherits their concern.

Being open source does not mean its secure thats why I look for a popular foss project this way I know enough people care about it to look into, and enough people try to attack it. This is a main reason I do not choose a 1 man team to be my choice for a password manager like SafeInCloud no matter how good it is. Its better to be with the herd sometimes.

Personally I do not have too much problem with Electron. I read it takes 333MB of RAM but thats nothing in the modern day where computeres come with 8 and 16 GB RAM (4%-2% of resources). As for security, i just do not know anything about that.
 
  • Like
Reactions: svenmany
To a degree.

Since 1Password 6.x is an Intel binary, you'll see that it is running under Rosetta 2. 1Password 6 - as well as all Intel binaries - will run on any M1 Mac until Apple completely removes Rosetta from MacOS. When they do - which will mean all Intel support would be dropped from MaOS - 1Password 6 and any other Intel binary will effectively stop working. So to speak, you're on borrowed time. I'm in the same boat with 1Password 6, which is why I've started the migration off of it.

BL.
Do I need to install Rosetta to run 1Password 6 on Apple's silicon/Monterey?
 
Do I need to install Rosetta to run 1Password 6 on Apple's silicon/Monterey?

No. when you run any Intel binary on Monterey for the first time, Monterey will prompt you to install Rosetta 2. It is available already on OS (read: not requiring a separate download), but not installed and running by default. That way if you don't need to run any Intel binaries, you don't have to have it installed.

BL.
 
really?

1-Linus Trovalds created a whole operating system because he didn't like the closed source Unix and didn't want to pay.

2-Netflix was created because the founder was charged $40 in late fees by Blockbuster

3-LibreOffice created because they don't want to use Microsoft Office because its closed source

4-GNU was created because Stallman refused to use closed source software

5-Brave created because Chrome is too intruisive

6-ProtonMail created because people don't want free email from Google and Yahoo because its spies on them

7-teddit and libreddit created because they don't like Reddit policies and advertisement

8-Mastodon created because they don't like the centralized control of Twitter.

Shall I continue? Looks like we need a lot of shrinks already.
Was this before or after whining about it on the forum? Will you be creating a better alternative to 1Password then?
 
Was this before or after whining about it on the forum?

Not for nothing, but which forum?

Linus complained about all of the other Unixes at the time in comp.os.minix, and posted his announcement for Linux in that group.

Coincidentally, 3 years after that announcement was made, a ton of SunOS boxes were hacked and taken over, due to the lack of security in its kernel that gave users privileged access. Linux didn't have that vulnerability. Shortly after those incidents, SunOS was abandoned, in favor of Solaris.

Phil Zimmerman complained about how buggy RSA, IDEA, MD4, and MD5 were back in the mid 1990s, and created PGP due to that. He posted that announcement in comp.security. Whining about it ensued due to someone (not Phil) leaking that code to a newsgroup that had access overseas. The government considered cryptography to be weapons and munitions, so they decided to go after Zimmerman as a criminal. They lost that case because they couldn't prove that Zimmerman posted that code.

Will you be creating a better alternative to 1Password then?

We have alternatives here, which we are discussing. But the statement of that we're only concerned about what is stored as text in a text field is disingenuous.

BL.
 
Was this before or after whining about it on the forum? Will you be creating a better alternative to 1Password then?

well Stallman is still complaning 37 years later. I do not have to create an alternative since others already solved the problem to an extent like Enpass that enable a license option, or Codebook that does not even have subscription option.

The more important question is, whats your contribution to this thread?
 
  • Like
Reactions: MadeTheSwitch
No. when you run any Intel binary on Monterey for the first time, Monterey will prompt you to install Rosetta 2. It is available already on OS (read: not requiring a separate download), but not installed and running by default. That way if you don't need to run any Intel binaries, you don't have to have it installed.

BL.
If Rosetta 2 is installed, does it run on background all the time? I'm asking because I have a new MBP with Monterey on it and don't want to "contaminate" it with outdated and unnecessary software.

I installed 1Password 7, it runs with my 1Password 6 license, but it doesn't let me edit anything, the Edit function is disabled.
 
I do not have to create an alternative since others already solved the problem to an extent like Enpass that enable a license option, or Codebook that does not even have subscription option.
In terms of security, how does Apple's keychain compare to 1Password and Bitwarden?
 
Last edited:
If Rosetta 2 is installed, does it run on background all the time? I'm asking because I have a new MBP with Monterey on it and don't want to "contaminate" it with outdated and unnecessary software.

To my knowledge, it does not run in the background all the time. It should only run for the duration of the Intel binary that is being run. I say "to my knowledge", as that is how I perceive it to be; I do not have a Silicon Mac yet.

I installed 1Password 7, it runs with my 1Password 6 license, but it doesn't let me edit anything, the Edit function is disabled.

Whoa. Are you saying that you are able to apply your 1Password 6 license to 1Password 7? as in, you did not need a separate license for 1Password 7? According to AgileBits, 1Password 7 shouldn't take a license from 1Password 6:


BL.
 
To my knowledge, it does not run in the background all the time. It should only run for the duration of the Intel binary that is being run. I say "to my knowledge", as that is how I perceive it to be; I do not have a Silicon Mac yet.

Speaking as an Apple Silicon MPB owner Rosetta2 isnt perceptible. Is it running? Is it not running? I’d probably have to look to find out. AFAIK it is only active if an Intel binary is running.

That said, I encounter no discernible effects of running a legacy Intel binary vs a native AS binary.

IMHO not something to worry about
 
Whoa. Are you saying that you are able to apply your 1Password 6 license to 1Password 7? as in, you did not need a separate license for 1Password 7? According to AgileBits, 1Password 7 shouldn't take a license from 1Password 6:


BL.
Yes, that is what I'm saying. But when I open 1Password 7, it opens a popup advertising their subscription model, and I cannot edit anything. But all of my logins are there and I can use the app. I can edit on my iPhone and it updates it on the Mac.
 
  • Angry
  • Wow
Reactions: rmadsen3 and Huntn
If Rosetta 2 is installed, does it run on background all the time? I'm asking because I have a new MBP with Monterey on it and don't want to "contaminate" it with outdated and unnecessary software.

I installed 1Password 7, it runs with my 1Password 6 license, but it doesn't let me edit anything, the Edit function is disabled.
If the edit function is disabled, make sure the software doesn’t think you have a sub. 1Password 7 runs on the M1 without Rosetta.
 
Just saw this, might have a look before you update to 1Password v8.5 and want to import your data to Bitwarden before its too late. I'm already using Bitwarden for 7 months no looking back, happy to throw money at them!

New version of 1Password means no way to import 1Password data into Bitwarden
If that ends up being true, 1Password is really screwing unsuspecting customers. That is really crappy of them to do such a thing. So glad I found Strongbox and Bitwarden. And if need be, I also have Enpass under another Apple ID I can share.
 
  • Like
Reactions: Alwis
One reason more to switch from 1PW to an alternative. I will not risk a vendor lockin with my passwords. And even if the new format can eventually be parsed by other applications the risk is to great if 1PW starts making such moves.
 
Yes, that is what I'm saying. But when I open 1Password 7, it opens a popup advertising their subscription model, and I cannot edit anything. But all of my logins are there and I can use the app. I can edit on my iPhone and it updates it on the Mac.

Exactly the same experience I had. What this is, is that 1Password 7 has left your vault in read-only mode. You can use the application on your existing passwords there in your vault, but you can not sync that vault to another device (meaning your Mac is the source) nor add new passwords directly to that vault without using another vault as the source. That would require the license, which you do not have for 1Password 7. Additionally, those 1Password 7 licenses can no longer be purchased for any standalone-type vault, meaning you are being forced to purchase their subscription if you want to continue to use 1Password.

Making it worse, uninstalling 1Password 7 and reinstalling 1Password 6 doesn't remove that vault from being read-only. For me, I had to do a full Time Machine restore of my Mac to remove all traces of anything 1Password 7 had put on my Mac. That alone makes 1Password 7 a non-starter for me. I am not wanting to risk my privacy nor my security by putting my passwords not only into any cloud service, but only their service, and not knowing what they would do with my passwords/vault should I end that subscription.

BL.
 
  • Like
Reactions: yustas
If that ends up being true, 1Password is really screwing unsuspecting customers. That is really crappy of them to do such a thing. So glad I found Strongbox and Bitwarden. And if need be, I also have Enpass under another Apple ID I can share.
Think they’re talking about trying a v6 license file with v7

My actual v7 doesn’t behave his way. No pop ups or advertising. I upgraded to v7 three years ago when it was still available as a standalone license.
 
Last edited:
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.