1Password migrants thread

[gregmac19]

Strongbox either now has- or will have extensions for other browsers. macOS version has those extensions now. iOS either now, too, or coming soon.

[I like Strongbox. I don't yet use Strongbox. I'm looking to switch--soon--from 1Password v7.]

Strongbox appeals to me for two reasons: (a) KeePass file format (kdbx) works with several apps in addition to Strongbox. (b) KeePass has a critical mass and Strongbox is on the rise.

Lots and lots of people are buying- and using Strongbox. I think it'll be around for a while and I think the developer will put good effort in to development. In my opinion: Codebook is obscure--fewer users? slower growth?--so if you're looking for it to gain features, well that's not a sure thing. I want my password manager to be an app that very many other people use. I want my password-database file format to be one that more than one app uses.

[N.B. These priorities of mine come directly from the 1Password change to sub-only pricing. I've got a lot of data in 1Password and it feels as if I'm being held hostage. Maybe some apps are flashier than is Strongbox/KeePass but after this 1Password debacle I want to always have options when it comes to apps managing my data.]

It's my opinion that all current apps have one shortcoming or another. For instance macOS autofill apps (e.g., Strongbox, Minimalist) are limited by Apple constraints (e.g., no creating a new password-manager item by right-clicking in a password field?)... 1Password v7 is great but it's no longer buyable... 1Password v8 takes away features such as smartfolders... Secrets has good featureset and it's not tied to macOS autofill but still it, too, has no functionality for creating database items on the fly... I've looked at Codebook but I've not ever used the app; it's my understanding that Codebook does not allow for creating smartfolders (saved searches based on multiple criteria), which for me, is a dealbreaker... In summary: They're all bad, but in different ways.

Thanks for your response.

I don’t know what your reference is for “KeePass has a critical mass and Strongbox is on the rise.” Additionally, it seems like you should be considering Bitwarden if want an app that a lot of people use.

Codebook is indeed obscure, but the developer has been around a long time, and they seem to have a solid business. As they supply regular updates, and provide good support, I am not worried that they are going to go away anytime soon. Furthermore, I am not looking for new features, as I just using Codebook as a password manager.

My number one concern with a password manager is how secure it is. Codebook allows you to keep your vault on just your local hard drive, instead of it floating out on the Internet where hackers could conceivably get access to it. Additionally, the program can operate with a minimum of plug-ins and extensions, which I also think helps keep it secure. That it is available for a nominal one-time cost is also a big plus.

Finally, I don’t get why complex searches are needed in a password manager, as I only have a few dozen passwords, and can always easily find what I am looking for.

Please let us know how it goes with Strongbox if you decide to start using it.

 

[HDFan]

I don’t get why complex searches are needed in a password manager,

I have over 1k of login username/password combinations in 1Password, not including software licenses, secure notes, etc. Complex searches are a must.

 

[MisterSavage]

I don’t know what your reference is for “KeePass has a critical mass and Strongbox is on the rise.” Additionally, it seems like you should be considering Bitwarden if want an app that a lot of people use.

Keepass has been around since 2003 and is very well known. I enjoyed using it back in the day when I had a Windows PC.

 

[gregmac19]

Keepass has been around since 2003 and is very well known. I enjoyed using it back in the day when I had a Windows PC.

I am well aware that Keepass has been around awhile. I was questioning the "Strongbox is on the rise" portion of the comment.

 

[rmadsen3]

I am well aware that Keepass has been around awhile. I was questioning the "Strongbox is on the rise" portion of the comment.

Strongbox becoming quite popular amongst iOS users -- and that's despite its high price. First 1Password loses its soul. And then, recently, the Strongbox developer makes Strongbox a 'unified' app so that one purchase covers all platforms (iOS, iPadOS, macOS). And even more recently comes the extensions for browsers other than Safari. In my opinion: Strongbox is goin' places. And the use of KeePass format makes it very low-risk to give this app a try.

Perhaps one indicator of popularity is the number of App Store reviews. Number for Strongbox bigger than that for Enpass, bigger than that for Bitwarden.

Seems to me Codebook meets the criteria and priorities that gregmac19 puts emphasis on. Though, for what it's worth, Strongbox has got a ton of settings relating to security. You might want to check it out.

 

[Corefile]

I've been using Enpass for years now ever since 1Password became such a terrible mess. I've generally had zero problems with them and I'm not sure what all the excitement has been with Enpass changing their sub model or whatever. Who knew? I didn't see anything like that on the Mac or Linux. Maybe it was specific to iOS only but I don't allow password protected sites to generally be used on my iPhone.

 

[MisterSavage]

I am well aware that Keepass has been around awhile. I was questioning the "Strongbox is on the rise" portion of the comment.

Well that wasn't clear at all and would have been if you would have just quoted that part.

 

[gregmac19]

Well that wasn't clear at all and would have been if you would have just quoted that part.

My apologies. I'll try to be more careful in the future.

 

[MacBH928]

I am seriously considering switching full time to Bitwarden from Enpass. I was strong against cloud storage but since its FOSS+FREE+plus I learned data is encrypted on device before going to the cloud I feel much safer about it. The data will always live on my device and the cloud will be used for syncing. My problem is the mini assistant app is a must for me which is not there for Bitwarden.

Bitwarden seems much more professional on their work and does autofill better. I wanted to like Enpass but the app has a lot of polishing to do , the autofill is not as good as Bitwarden, and their team seems to be too small to handle the task.

I will continue to keep both for now hoping Enpass gets better but I doubt it. Its not bad its just not as good as Bitwarden functionality wise. Still the only password manager that sells license+stores locally+multiplatform+choose your own cloud storage+assistant app and no Electron I believe.

 

[it wasnt me]

I learned data is encrypted on device before going to the cloud

Can you prove that?

 

[MisterSavage]

Can you prove that?

Bitwarden is open source. You could verify it yourself.

 

[it wasnt me]

My question was about Enpass.

 

[MisterSavage]

My question was about Enpass.

Oh, ok. The text you quoted was from the paragraph where he/she was describing why they were becoming comfortable with Bitwarden cloud storage.

 

[it wasnt me]

Ah, I thought it was because Enpass also (allegedly) encrypts data locally.

 

[MacBH928]

Can you prove that?

no and I do not use Enpass with cloud storage. I do not think they have cloud storage service. What @MisterSavage said was correct.

Oh, ok. The text you quoted was from the paragraph where he/she was describing why they were becoming comfortable with Bitwarden cloud storage.

There is always the arguement that you can never trust FOSS being run on the server side of things. While its true, I have enough trust in Bitwarden not to do anything scammy behind closed doors. If I was working for some government security agency then yeah I wouldn't trust them but for my threat level I am ok.

 

[bradl]

There is always the arguement that you can never trust FOSS being run on the server side of things. While its true, I have enough trust in Bitwarden not to do anything scammy behind closed doors. If I was working for some government security agency then yeah I wouldn't trust them but for my threat level I am ok.

On the server side of things, you can trust it... but to a degree. As it is FOSS, one would need to verify that whoever is running the server is using a binary compiled from the vanilla source code (read: no patches outside the source code tree provided by Bitwarden applied), or is using a precompiled binary from Bitwarden that has been checksummed to be originally from them. Bitwarden can provide the checksum for the binary along with it, and the user can run something like md5sum or sha1sum to see if those checksums match. However, that is something that the person running the server would need to provide.

The problem one could have is if they operate like RedHat or CentOS, where instead of using the latest kernel from the source, they take patches and back port it to the kernel they are already using for that particular software distribution. Because of that, you couldn't tell if their kernel was valid without looking at every single line of source code.

As for a government entity, that is a different story. In my time working for them, there have been very few FOSS projects that they have used.

BL.

 

[MacBH928]

On the server side of things, you can trust it... but to a degree. As it is FOSS, one would need to verify that whoever is running the server is using a binary compiled from the vanilla source code (read: no patches outside the source code tree provided by Bitwarden applied), or is using a precompiled binary from Bitwarden that has been checksummed to be originally from them. Bitwarden can provide the checksum for the binary along with it, and the user can run something like md5sum or sha1sum to see if those checksums match. However, that is something that the person running the server would need to provide.

The problem one could have is if they operate like RedHat or CentOS, where instead of using the latest kernel from the source, they take patches and back port it to the kernel they are already using for that particular software distribution. Because of that, you couldn't tell if their kernel was valid without looking at every single line of source code.

As for a government entity, that is a different story. In my time working for them, there have been very few FOSS projects that they have used.

BL.

Gov. agencies trust data hoarding corporates with their data?! average joes do not trust Gmail and Facebook. I wouldn't trust OneDrive with any personal files nor would I trust 1password with my passwords.

 

[gregmac19]

Gov. agencies trust data hoarding corporates with their data?! average joes do not trust Gmail and Facebook. I wouldn't trust OneDrive with any personal files nor would I trust 1password with my passwords.

So why do you trust Bitwarden? How do you know they aren't controlled by nefarious people? I doubt they are, but my point is that you don't need to trust Bitwarden when there are other alternatives readily available.

 

[MacBH928]

So why do you trust Bitwarden? How do you know they aren't controlled by nefarious people? I doubt they are, but my point is that you don't need to trust Bitwarden when there are other alternatives readily available.

I trust them like I trust my bank with my money. The software is FOSS. Many people trust them. They have a brand name to protect. They are not small time and have millions invested. Their whole differentiation business model is that they are FOSS otherwise they will be just another Dashlane or 1password.

What other alternatives? Most of the foss software has issues like supports 1 platform, ugly GUI, or "you are on your own" mentality. This one has a corporate working behind it. Professional work not someone who does it as a side project in their free time.

 

[MisterSavage]

So why do you trust Bitwarden? How do you know they aren't controlled by nefarious people? I doubt they are, but my point is that you don't need to trust Bitwarden when there are other alternatives readily available.

You don't need to trust a fully open source password manager?? And if you were worried about them doing something shady you could download their source, verify it, and run a self hosted instance of it without their involvement.

 

[MacBH928]

You don't need to trust a fully open source password manager?? And if you were worried about them doing something shady you could download their source, verify it, and run a self hosted instance of it without their involvement.

I think Bitwarden license does not allow you to run your own server thats why their is vaultwarden. Maybe there is something I do not understand.

 

[gregmac19]

You don't need to trust a fully open source password manager?? And if you were worried about them doing something shady you could download their source, verify it, and run a self hosted instance of it without their involvement.

Perhaps reading bradl's post from Friday 11/4 @ 3:22 PM will help you to understand the context of my comments.

As you know, that although you can self-host Bitwarden, by default it puts your vault on the internet. IMO this is an unnecessary security risk. As I don't have the computer resources to self-host, I don't use Bitwarden.

 

[MisterSavage]

I think Bitwarden license does not allow you to run your own server thats why their is vaultwarden. Maybe there is something I do not understand.

They're definitely ok with it. They give you instructions on how to access license paid features on a self-hosted instance.

I think Bitwarden license does not allow you to run your own server thats why their is vaultwarden. Maybe there is something I do not understand.

It looks like Vaultwarden is a fork of the Bitwarden code and not connected to the Bitwarden developers.

 

[maflynn]

It looks like Vaultwarden is a fork of the Bitwarden code and not connected to the Bitwarden developers.

Looks like its mostly its own product. I've not heard of this

To say Vaultwarden is a fork of Bitwarden is something that makes it easy to understand but truly Vaultwarden is a completely separate project and the code-base is mostly written in RUST.
Vaultwarden is only a compatible backend server, and still requires the use of the official Bitwarden clients. This is similar to self-hosting your own official Bitwarden service, and is mostly aimed at small businesses, families, and tech hobbiest and tinkers.

Here's a reddit thread that seems to add some details. It doesn't look like its a product is being set up as a competitor, i.e., not commercial, just an initiative to provide a lite self hosted solution that is compatible with with bitwarden's backend processing

https://www.reddit.com/r/selfhosted/comments/p54no4

 

[Alwis]

I use Vaultwarden instead of the "officeal" self hosting solution only because it is lightweight and much easier to setup. Otherwise I would have chosen the "official" images.

That said, Vaultwarden provides everything I need und works in my testing installation without any problems.