1Password migrants thread

[MacBH928]

As I am switching everything away from iCloud out of security concerns.. I did give 1pass a try for the last few weeks.. Its honestly not bad... I hate having to pay for something like this... But I do feel that its worth it. I just wish I had something that was self hosted..

Not to derail this thread but what concerns do you have?


I hear what you're saying but by the same token, if you don't pay for a product, then you are the product. I'm all for paying developers for their hard work. I truly hate the subscription model, but for what I get and the price that Bitwarden charges, its a no brainer for me.

Paying the developer is something everyone should do even via donations for FOSS apps, that $1 really makes a difference (multiply by 1 million users or more!) but subscription model unless its an ongoing service like email and vpn is just greed.

DiskWarrior and CarbonCopyCloner sell only to Mac users and DiskWarrior has been around for like 40 years!

Basically that if my iCloud account becomes compromised, then they have access to everything. As well as the keychain access app on macs are not password protected.. (not the one in safari), but the actual app...

Here's a video I ran across a couple of weeks ago.. Its not bible.. but it began my rabbit hole of research... as I'm in the process of moving EVERYTHING out of iCloud... and its not because I don't trust Apple.. I just want to control everything as much as possible..

you are correct not to trust Apple. Those companies are starting to own our lives and everything is connected to their services. Diversifying is better plus I heard iCloud is not encrypted and I do not want to get into details about what is encrypted and what is not encrypted.

 

[russell_314]

subscription model unless its an ongoing service like email and vpn is just greed.

Doesn’t a password manager require cloud sync for multiple devices? In that case aren’t you just paying for the cloud? I’m asking because that’s what I’ve always thought.

I heard iCloud is not encrypted

iCloud is definitely encrypted. Not sure where you heard this from but it’s incorrect. The problem is Apple has the encryption keys therefore has access to your data and can decrypt it. It’s secure but not private at all.

 

[MacBH928]

Hope this means good things for Bitwarden.

Daily Crunch: PSG, Battery Ventures invest $100M in open source password manager Bitwarden | TechCrunch

Hello, friends, and welcome to Daily Crunch, bringing you the most important startup, tech and venture capital news in a single package.

techcrunch.com

Shocking and pleasant at the same time. Investing $100M in a FOSS app is a bit dangerous. At one point, how much people are paying for password managers? Makes me think how much 1password was making in money that was not enough for them so much so to jump into subscription.

On the other point, if this is lucrative we might see more FOSS investing which is very good news for everyone. Less monopoly, more free, more secure. Unfortunately, USA investing pattern show that stock owners squeeze the company for the highest amount of profit they can get out of it and this show on most major US brands. Quality is a second thought. Isn't this how 1password turned evil!?

Why?

This thread was started by someone who was unhappy with the subscription model, and business changes that impacts their perpetual license. Additionally some people don't like the use of Electron to build the app. I'm not marginalizing those concerns, I myself moved off of 1Password, but I don't see them suddenly going out of business. They're one of the major password manager companies.


I hope so, I think its an excellent product.

Actually he is not wrong. I have seen this path before with MySpace, Yahoo, and Blockbuster. Netflix is not having a good time. I still remember Real player which was the de facto way to watch videos on the internet. Some other companies are evil but continue to thrive like Facebook and Nestle . So we will see.

I think its important to know, as a customer or a potential customer to consider if there's a pattern. While this latest hack may not have access customer data, my concern is that this keeps happening. Do I want to stay with a security company that seems to be so lax that bad actors seem to gain access every few years?

I believe (at least in the US) you are legally bound to notify users that their data may have been compromised. Plus if companies sweep it under the rug to hide it and then word gets out later, it would be orders of magnatude worse, and could open themselves up to lawsuits

I agree hearing a password company being hacked is not good PR and image (especially when there is an Open Source alternative...free). As for notifying the users I have a feeling over 90% have no idea this even ever happened they just use the app. You really have to follow the news.

 

[MacBH928]

Doesn’t a password manager require cloud sync for multiple devices? In that case aren’t you just paying for the cloud? I’m asking because that’s what I’ve always thought.

iCloud is definitely encrypted. Not sure where you heard this from but it’s incorrect. The problem is Apple has the encryption keys therefore has access to your data and can decrypt it. It’s secure but not private at all.

-No. Some other password managers able to let you set up your own cloud, or use a free storage service like iCloud (5GB free, password storage is only some megabytes), or you can sync your device via Wifi (Enpass still allows this, 1Password took it away and forced their cloud service hence this thread), and some actually offer you the cloud storage+sync service for free like Bitwarden!

-This is like saying you have the keys to your safe in the bank, but so does the bank employee. The whole idea of encryption is for me only to unlock it. Me and the stranger Apple employee can enjoy looking at my data is not tempting. Encryption has to be end to end and zero access. What reason does Apple have to give themselves the ability to unlock my data? very suspicious.

 

[russell_314]

-No. Some other password managers able to let you set up your own cloud, or use a free storage service like iCloud (5GB free, password storage is only some megabytes), or you can sync your device via Wifi (Enpass still allows this, 1Password took it away and forced their cloud service hence this thread), and some actually offer you the cloud storage+sync service for free like Bitwarden!

I kind of figured they could make it where it would be self hosted but that wouldn’t make them money. I might check out bit warden because I’ve heard good things about them. I’m very cautious when it comes to password managers because you are literally giving them all your information so it’s really important who you trust.

-This is like saying you have the keys to your safe in the bank, but so does the bank employee. The whole idea of encryption is for me only to unlock it. Me and the stranger Apple employee can enjoy looking at my data is not tempting. Encryption has to be end to end and zero access. What reason does Apple have to give themselves the ability to unlock my data? very suspicious.

Well Apple has said publicly if I’m not mistaken that they are reluctant to use end to end encryption because that means if you lose your login information all your data is gone. Right now if somehow you forgot your iCloud password Apple could reset it for you after you prove who you are then you would have your data back.

This argument while sort of plausible doesn’t really hold water because it doesn’t explain why Apple doesn’t give you at least the option to turn on end to end encryption with a warning about data loss. Combine this with them proposing to scan your photos plus government pressure against encryption it’s likely Apple is just bending to government pressure. No corporation can stand up to governments worldwide. If it was just China sure but even the USA and the EU are pressuring them.

I think at some point you just have to accept the fact that information stored on any Internet connected device is not private. This doesn’t mean it’s not secure because no one’s going to steal your accounts but at least governments have access to your information and that’s not going to change.

 

[Apple_Robert]

Here's a video I ran across a couple of weeks ago.. Its not bible.. but it began my rabbit hole of research... as I'm in the process of moving EVERYTHING out of iCloud... and its not because I don't trust Apple.. I just want to control everything as much as possible..

The host of that video is giving out bad information.

iCloud Keychain security overview

With iCloud Keychain, users can securely sync their passwords between iPhone, iPad, Mac, Apple Watch, and Apple Vision Pro without exposing that information to Apple.

support.apple.com

"Apple thus added a third option to allow your device to generate a cryptographically secure iCloud Security Code. If you select this option when setting up your iCloud Security Code in the process of turning on iCloud Keychain (tap Settings > iCloud > Keychain, turn on iCloud Keychain, and then follow the steps in the screenshot), iCloud Keychain Recovery uses a completely different process to protect your keychain.



When you do this, your device generates a totally random iCloud Security Code that contains so much entropy that you don’t need the HSMs, since it is theoretically impossible to break via brute force using current (and foreseeable) techniques and technology. Select this option and the original random key protecting your keychain is wrapped with a key generated using this random iCloud Security Code, is never sent to Apple, and can’t be intercepted."

How to Protect Your iCloud Keychain from the NSA - TidBITS

Apple has released extensive details on iOS and iCloud security in a new white paper. One of the gems is how iCloud Keychain works, and the best way to configure it for the best possible security.

tidbits.com

 

[MacBH928]

I kind of figured they could make it where it would be self hosted but that wouldn’t make them money. I might check out bit warden because I’ve heard good things about them. I’m very cautious when it comes to password managers because you are literally giving them all your information so it’s really important who you trust.

- Enpass is the closest thing to 1password with local storage and wifi sync. The reasons I trust Bitwarden is that its FOSS+popular so if there is anything wrong with the code someone will pick it up. Also I felt better about storing the data in the cloud since I learned it gets encrypted locally then the encrypted file is sent to the cloud so even if someone gets his hands on it they can not do much with it. In addition to all of this its FREE and even the premium accounts are like $10 a year compared to 1password $32 a year. At this point its a bit ludicrous to stay with 1password except for one necessary feature for me and that is the assistant app which I can find with Enpass.

I do not see Bitwarden working on local storage or assistant app because that kills their main business which is cloud storage.

Well Apple has said publicly if I’m not mistaken that they are reluctant to use end to end encryption because that means if you lose your login information all your data is gone. Right now if somehow you forgot your iCloud password Apple could reset it for you after you prove who you are then you would have your data back.

This argument while sort of plausible doesn’t really hold water because it doesn’t explain why Apple doesn’t give you at least the option to turn on end to end encryption with a warning about data loss. Combine this with them proposing to scan your photos plus government pressure against encryption it’s likely Apple is just bending to government pressure. No corporation can stand up to governments worldwide. If it was just China sure but even the USA and the EU are pressuring them.

Yeah thats just lies. A person is responsible for his data not Apple, if you lose your password its on you. Sure if someone does not mind and would rather Apple break into his data to retrieve it over keeping it private I think he should get that option but they are forcing it on everyone. In reality, Apple serves the common person and the common person is more happy that his data is being exposed with ability to retrieve it all at his request over encrypting his data and being unable to access it ever again. At that point he will be upset with Apple. Just the common mindset. I mean there are campaigns literally telling people how Google and FB are exposing their data and people still keep sending nudes over their apps and networks.

I think at some point you just have to accept the fact that information stored on any Internet connected device is not private. This doesn’t mean it’s not secure because no one’s going to steal your accounts but at least governments have access to your information and that’s not going to change.

This is what they want to brain wash you with and you have drank the Kool Aid. Indeed, ProtonMail and Bitwarden has zero access to your data and hence it is private. It can be done but they want you to believe otherwise.

 

[bradl]

Looks like Lastpass was hacked again, though the vendor states no user data was compromised.
Notice of Recent Security Incident

Making this worse.. well.. umm.. ouch.

LastPass says hackers had internal access for four days

LastPass says the attacker behind the August security breach had internal access to the company's systems for four days until they were detected and evicted.

www.bleepingcomputer.com

FOUR DAYS.

They can say all they want about how their production environment wasn't impacted, or that the intruder didn't have access to encrypted passwords, the fact that they were able to get in and have that access for four days is telling everyone more about the lack of security they have. Having access to their development environment means that they had to look over every single bit of their code for any malicious code, let alone validate that the various builds between production and development weren't different outside of the code they were working on.

I believe (at least in the US) you are legally bound to notify users that their data may have been compromised. Plus if companies sweep it under the rug to hide it and then word gets out later, it would be orders of magnatude worse, and could open themselves up to lawsuits

If this isn't a reason why one shouldn't try to store passwords at a SaaS business, I don't know what is. Not only did they have the compromise for four days, they didn't release anything regarding it for TWO WEEKS. For having a vulnerability and compromised environment for four days and not saying anything for two weeks, not only would multiple ISOs be out of a job here, but multiple heads should have rolled. This is absolutely horrible for LastPass, and does show that some things - some data is too valuable or vital to be placed in places like the cloud or a SaaS for the sake of convenience.

BL.

 

[toasted ICT]

I still don't think it sensible to keep passwords on a companies honeypot password server.

Seems hackers had access to Last Pass for days.

LastPass says hackers had internal access for four days

LastPass says the attacker behind the August security breach had internal access to the company's systems for four days until they were detected and evicted.

www.bleepingcomputer.com

But they say "we have seen no evidence that this incident involved any access to customer data" so thats just fine then.

I wonder what they were doing for four days.

 

[VineRider]

I am not sure that having data in the cloud is any more of an issue if source code is hacked versus having your data stored locally. You still have to use the client software to de-crypt your vault and when doing that, we are trusting the company behind that client software to not scrape any data or do anything malicious.

From what I've read about zero knowledge security that all of these password companies use, I feel that the vaults are secure. What is troubling to me is that Lastpass had a rogue actor in their development environment for 4 days before they noticed....concerns are how did they get in in the first place and why it took so long to discover this.

 

[einsteinbqat]

Anyone using Strongbox? How is it? Does importing 1P data works well or is it so-so?

 

[sgtaylor5]

In light of the recommendations for SafeInCloud in the first few pages of this thread, I have switched to SafeInCloud. Looks very promising and the import was flawless. Very small program compared to 1Password. Using CloudKit for sync.

EDIT: before 1Password, I had used Bitwarden and iCloud Keychain. Keychain was too opaque and Apple only, and Bitwarden didn't import well the last time I moved away from Keychain.

 

[rforno]

Anyone using Strongbox? How is it? Does importing 1P data works well or is it so-so?

Yep, and no problems with it. That said, I don't use it for browser integrations, but mainly have it to store my passwords and other sensitive stuff. I keep my vault inside an encrypted cloud that only I have access to, and it syncs across my various devices -- which is what I used to do for 1PW until their Big Screw(tm).

I haven't tried the IOS app yet b/c I don't like password managers on my phone.

 

[einsteinbqat]

Yep, and no problems with it. That said, I don't use it for browser integrations, but mainly have it to store my passwords and other sensitive stuff. I keep my vault inside an encrypted cloud that only I have access to, and it syncs across my various devices -- which is what I used to do for 1PW until their Big Screw(tm).

I haven't tried the IOS app yet b/c I don't like password managers on my phone.

Thanks for the reply.

What do mean by “encrypted cloud”? How?

 

[MikeDr206]

I totally don’t mind the subscription service aspect of 1Password, but with each major version, usability and reliability has gone down. 8 is the worst, and I thought 7 was bad.

 

[HDFan]

but with each major version, usability and reliability has gone down.

Can you elaborate? I've not had any of those problems.

 

[MacBH928]

Anyone using Strongbox? How is it? Does importing 1P data works well or is it so-so?

In light of the recommendations for SafeInCloud in the first few pages of this thread, I have switched to SafeInCloud. Looks very promising and the import was flawless. Very small program compared to 1Password. Using CloudKit for sync.

EDIT: before 1Password, I had used Bitwarden and iCloud Keychain. Keychain was too opaque and Apple only, and Bitwarden didn't import well the last time I moved away from Keychain.

How is the autofill feature? is able to fill forms and such or just login?

Yep, and no problems with it. That said, I don't use it for browser integrations, but mainly have it to store my passwords and other sensitive stuff. I keep my vault inside an encrypted cloud that only I have access to, and it syncs across my various devices -- which is what I used to do for 1PW until their Big Screw(tm).

I haven't tried the IOS app yet b/c I don't like password managers on my phone.

If you store the vault in the cloud, is it encrypted and get decrypted on device? Seems pretty dangerous to store plain vault in the cloud.

I totally don’t mind the subscription service aspect of 1Password, but with each major version, usability and reliability has gone down. 8 is the worst, and I thought 7 was bad.

Its another part of why this thread started. Its not just the forced subscription, but there were features lost like no local storage anymore

 

[maflynn]

I totally don’t mind the subscription service aspect of 1Password, but with each major version, usability and reliability has gone down. 8 is the worst, and I thought 7 was bad.

I've long since stopped using 1Password (been on Bitwarden with no regrets), can you elaborate on your point of usability and reliability has decreased?

 

[usualpulp]

Its another part of why this thread started. Its not just the forced subscription, but there were features lost like no local storage anymore

Removing local host/cloud host of the vault file is the biggest reason i left. that plus the new subscription model wasn't worth my continued use.

 

[rmadsen3]

Removing local host/cloud host of the vault file is the biggest reason i left. that plus the new subscription model wasn't worth my continued use.

Versions six and seven have best-in-class implementation of smartfolders (saved searches based on multiple criteria). Version eight has none whatsoever.

In general: It seems to me that 1Password personnel play on users' security concerns. Feels almost like fearmongering. For my needs, 'housekeeping' functionality is what matters. I want features that help me to organize my database items. I don't care about overengineered precautions for security threats that I'll never face. I appreciate the sophistication of the overengineering lol but the software feels oriented to consumers less and less.

As of now I think only Secrets and KeePassXC have smartfolders functionality.

 

[usualpulp]

Versions six and seven have best-in-class implementation of smartfolders (saved searches based on multiple criteria). Version eight has none whatsoever.

In general: It seems to me that 1Password personnel play on users' security concerns. Feels almost like fearmongering. For my needs, 'housekeeping' functionality is what matters. I want features that help me to organize my database items. I don't care about overengineered precautions for security threats that I'll never face. I appreciate the sophistication of the overengineering lol but the software feels oriented to consumers less and less.

As of now I think only Secrets and KeePassXC have smartfolders functionality.

yeah i loved 6, i had a license for it so i never upgraded to 7 but a new mac meant i'd have to move to 8 now or change apps so i changed apps.

nothings quite as polished as 1password but perfectly useable.

 

[sgtaylor5]

How is the autofill feature? is able to fill forms and such or just login?



If you store the vault in the cloud, is it encrypted and get decrypted on device? Seems pretty dangerous to store plain vault in the cloud.



Its another part of why this thread started. Its not just the forced subscription, but there were features lost like no local storage anymore

The autofill feature seems to work fairly well, better than 1Password.

https://support.apple.com/guide/security/cloudkit-security-sec3d52c0374/1/web/1
If you're using CloudKit to store the vault, yes.

I had to switch from Medicaid to regular medical insurance, so for me it was just trying to reduce my subscriptions.

 

[MacBH928]

Removing local host/cloud host of the vault file is the biggest reason i left. that plus the new subscription model wasn't worth my continued use.

Honestly with Bitwarden being free I see no reason for anyone to pay 1password $36 yearly (unless you favour the GUI). Even the paid Bitwarden is just $10 a year! Just shows 1password is just a money greedy corporate.

Bitwarden being open source is even a plus for society and security since everyone can see and trust the code!

The main advantage for 1password is the app and the assistant/mini app which is a great idea I believed innovated by them which Bitwarden does not have and I believe will never have since their business model relies on the cloud storage. For that I use Enpass.

Versions six and seven have best-in-class implementation of smartfolders (saved searches based on multiple criteria). Version eight has none whatsoever.

In general: It seems to me that 1Password personnel play on users' security concerns. Feels almost like fearmongering. For my needs, 'housekeeping' functionality is what matters. I want features that help me to organize my database items. I don't care about overengineered precautions for security threats that I'll never face. I appreciate the sophistication of the overengineering lol but the software feels oriented to consumers less and less.

As of now I think only Secrets and KeePassXC have smartfolders functionality.

fear mongering is right! At this point its "give us your money or face the the threat of the internet" meanwhile a guy like the one working on SafeinCloud in giving a lifetime license for his app that works on multi platforms for $5 🤣🤣

So much for the guys who drank 1password KoolAid saying you have to pay $3/m because its non sustainable🤣🤣

The autofill feature seems to work fairly well, better than 1Password.

Better than 1password? thats a big one! 1password has been the best autofill for me with Bitwarden being actually better since I can add the custom fields myself!

 

[Mr. Heckles]

Honestly with Bitwarden being free I see no reason for anyone to pay 1password $36 yearly (unless you favour the GUI). Even the paid Bitwarden is just $10 a year! Just shows 1password is just a money greedy corporate.

Bitwarden being open source is even a plus for society and security since everyone can see and trust the code!

The main advantage for 1password is the app and the assistant/mini app which is a great idea I believed innovated by them which Bitwarden does not have and I believe will never have since their business model relies on the cloud storage. For that I use Enpass.

fear mongering is right! At this point its "give us your money or face the the threat of the internet" meanwhile a guy like the one working on SafeinCloud in giving a lifetime license for his app that works on multi platforms for $5 🤣🤣

So much for the guys who drank 1password KoolAid saying you have to pay $3/m because its non sustainable🤣🤣

Better than 1password? thats a big one! 1password has been the best autofill for me with Bitwarden being actually better since I can add the custom fields myself!

60 pages of you trying to justify your choice. The I haven’t posted in the tread for a while is because all you do is try to point out all the things that person does wrong if they like and use 1Password. Saying greed, saying people drink kool-Aid, and more. You realize most Android people think Apple users drink the Apple Kool Aid? Some people like expensive cars, some people are happy with a 20 year old beater. Are the people paying $70,000 plus for a car wrong? No. Now is that car maker greedy for charging that much for a car greedy? That’s an opinion.

Cool, you left 1Password for whatever reason, I couldn’t care less. But if a person says they like it, oh boy, they are wrong in your book. If a person thinks 1Password does something better, that’s their opinion and who are you to judge?

Some people say Apple is greedy, maybe they are, but most people on this site like them. What works for them, that’s cool on my book.

Some people pay for Verizon for cell service, some people have Metro or Boost, what works for them is what counts.

I pay for FastMail for email, I can easily use gmail or Outlook for free. If a person pays more for something and they are happy, why do you care?

$5 for lifetime? You realize there is no such thing as lifetime? There is no way that app will work 20 year from now… let alone the rest of my life. I also wouldn’t trust something as important as my passwords to a $5 app. RememBear, a newer password manager that started 6 years ago is shutting down in July of 2023.

I probably won’t post in here again in this thread, who knows. But to mock people, look down on them, and criticize them for what they use isn’t cool. I tell people to use a password manager, I alao tell them all the options out there. If they go with something different than me, cool, they are using a password manager and headed in the right direction in securing their accounts.

 

[MisterSavage]

$5 for lifetime? You realize there is no such thing as lifetime? There is no way that app will work 20 year from now… let alone the rest of my life. I also wouldn’t trust something as important as my passwords to a $5 app. RememBear, a newer password manager that started 6 years ago is shutting down in July of 2023.

To be fair, there were plenty of us that didn't expect lifetime. I bought a license and it lasted me several years. I would have bought another one but they didn't give us that option any more. Not only that, the same amount of years at the current subscription prices would cost me more than 50% more than what I paid for the previous few years. I shopped around and found another password manager I liked better.