Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

1Password migrants thread

I still maintain that passwords hosted on any developers server are a target. This has been demonstrated most recently "LastPass’s full investigation points to a coordinated effort using multiple techniques to target both broad and specific vectors for the company. It’s a sophisticated attack that happened in stages across multiple months"
They keep hammering away...there is a goldmine of authentication data to be had at these online password storage companies.
www.pcworld.com

The latest LastPass fail came from an employee's home PC

A key component of the 2022 hack was an employee's home computer that was running vulnerable third-party software.
www.pcworld.com www.pcworld.com
 
  • Like
Reactions: gregmac19
toasted ICT said:
I still maintain that passwords hosted on any developers server are a target.
Click to expand...
Of course they are - we have a whole discussion occurring here: LastPass hacked Again

Unless you choose not use any password manager like keychain, google chrome and myriad 3rd party options you will be at risk. Also if you do any online work, with banking, emailing, or work, then your data is going to be at risk. If your computer connect to the internet and use a router, then your computer is at risk as well.

My point while over the top, is that there's no getting around that our personal data is already on servers, some of whom probably don't take the precautions we would want them too. Choosing a password manager is about balancing the risk vs. reward. Many people choose a manager that is self hosted, that's great. I find that 1Password's track record is so good that I think the risk level is low. Btw, I use BitWarden and like 1Password I'm more comfortable with them
 
  • Like
Reactions: MisterSavage
maflynn said:
Of course they are - we have a whole discussion occurring here: LastPass hacked Again

Unless you choose not use any password manager like keychain, google chrome and myriad 3rd party options you will be at risk. Also if you do any online work, with banking, emailing, or work, then your data is going to be at risk. If your computer connect to the internet and use a router, then your computer is at risk as well.

My point while over the top, is that there's no getting around that our personal data is already on servers, some of whom probably don't take the precautions we would want them too. Choosing a password manager is about balancing the risk vs. reward. Many people choose a manager that is self hosted, that's great. I find that 1Password's track record is so good that I think the risk level is low. Btw, I use BitWarden and like 1Password I'm more comfortable with them
Click to expand...
I don’t get why more people don’t self-host. Why take on any additional risk when there are multiple options available to keep your vault off the internet? With self-hosting, I never need to worry about a server being hacked, or concern myself with stuff like “Kdf iterations.” I considered Bitwarden, and am glad I didn’t go that direction.
 
  • Like
Reactions: Jordan Klein
gregmac19 said:
I don’t get why more people don’t self-host. Why take on any additional risk when there are multiple options available to keep your vault off the internet? With self-hosting, I never need to worry about a server being hacked, or concern myself with stuff like “Kdf iterations.” I considered Bitwarden, and am glad I didn’t go that direction.
Click to expand...

The option to self host is very little. Currently only EnPass and any keepass kdbx variant. I think codebook too but codebook I believe works with safari only.

I am not sure if I am missing any others.

toasted ICT said:
I still maintain that passwords hosted on any developers server are a target. This has been demonstrated most recently "LastPass’s full investigation points to a coordinated effort using multiple techniques to target both broad and specific vectors for the company. It’s a sophisticated attack that happened in stages across multiple months"
They keep hammering away...there is a goldmine of authentication data to be had at these online password storage companies.
www.pcworld.com

The latest LastPass fail came from an employee's home PC

A key component of the 2022 hack was an employee's home computer that was running vulnerable third-party software.
www.pcworld.com www.pcworld.com
Click to expand...

You are right. What worries me most is some new update comes along and the developer drops the ball and suddenly there is a vulnerability that attacks 10 million customers and the hackers already downloaded the data!

Happy 200 login password changing!

maflynn said:
Of course they are - we have a whole discussion occurring here: LastPass hacked Again
Click to expand...

Any one still paying for LastPass is a looney
 
  • Like
Reactions: max2
maflynn said:
Depending on how a self hosting option is presented, its conceivable that you're putting yourself at a higher risk as you now need to ensure the security and integrity of the vaults including backups. And we know how few people actually back up their systems.
Click to expand...
It seems to me that if a person is security conscious enough to be considering self-hosting, they are probably the type to already be securely backing-up their data.
 
Last edited:
  • Like
Reactions: MacHeritage
MacBH928 said:
The option to self host is very little. Currently only EnPass and any keepass kdbx variant. I think codebook too but codebook I believe works with safari only.

I am not sure if I am missing any others.
Click to expand...
You can self-host with Bitwarden and Strongbox as well.

Codebook works with any browser, although the Autofill feature only works on Safari on macOS. However, the Secret Agent feature of Codebook makes inserting your passwords and other information into any browser, almost as convenient as with Autofill.
 
  • Like
Reactions: MacHeritage
Not a flaw, as it is a valid use case, but can be rather dangerous. For users of Bitwarden:

www.bleepingcomputer.com

Bitwarden flaw can let hackers steal passwords using iframes

Bitwarden's credentials autofill feature contains a risky behavior that could allow malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker.
www.bleepingcomputer.com www.bleepingcomputer.com

Again, thankfully it is disabled by default, but still is something that users need to be aware of.

BL.
 
  • Like
Reactions: max2
bradl said:
Not a flaw, as it is a valid use case, but can be rather dangerous. For users of Bitwarden:

www.bleepingcomputer.com

Bitwarden flaw can let hackers steal passwords using iframes

Bitwarden's credentials autofill feature contains a risky behavior that could allow malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker.
www.bleepingcomputer.com www.bleepingcomputer.com

Again, thankfully it is disabled by default, but still is something that users need to be aware of.

BL.
Click to expand...
Thanks for the info, Brad.

Do you think that other password managers with autofill have the same issue? I think that Apple has a different setup for Safari users, which some password managers (e.g., Codebook) that advantage of. However, I am wondering about autofill for other browsers.
 
gregmac19 said:
Thanks for the info, Brad.

Do you think that other password managers with autofill have the same issue? I think that Apple has a different setup for Safari users, which some password managers (e.g., Codebook) that advantage of. However, I am wondering about autofill for other browsers.
Click to expand...

In looking at the article, it depends on how autofill is implemented. In Bitwarden's case, since they are using an extension for autofill, that extension not only looks at any iframes from the parent site and fills that, it will also autofill any iframes from any additional site (read: the attacking site) and send that info to the attacker. All that would be needed from there is that the attacking site take note of what the parent site is, resulting with the attacker having your credentials to that site.

If other password managers don't allow autofill to fill every iframe that it sees waiting for user input, then you're safe. But it all boils down to how they implement autofill in their browser extensions, and I think Bitwarden, while with a valid use case, has their implementation of autofill in their browser extension a bit overzealous.

BL.
 
bradl said:
In looking at the article, it depends on how autofill is implemented.
Click to expand...
Codebook, Minimalist, and Strongbox all use Apple's AutoFill feature to automatically fill in forms. (By the way, Safari is the only macOS browser that currently uses Apple's AutoFill. Thus, Minimalist and Strongbox have the same limitation for autofill as Codebook.) In contrast, it doesn't appear that Enpass uses Apple's AutoFill feature, as they seem to rely on browser extensions like Bitwarden. Anyhow, though I don't use Bitwarden, I am left to wonder if I should be concerned about this issue.
 
gregmac19 said:
Codebook, Minimalist, and Strongbox all use Apple's AutoFill feature to automatically fill in forms. (By the way, Safari is the only macOS browser that currently uses Apple's AutoFill. Thus, Minimalist and Strongbox have the same limitation for autofill as Codebook.) In contrast, it doesn't appear that Enpass uses Apple's AutoFill feature, as they seem to rely on browser extensions like Bitwarden. Anyhow, though I don't use Bitwarden, I am left to wonder if I should be concerned about this issue.
Click to expand...

If using Apple's autofill, I don't think you should be worried about it, unless the flaw also exists within Apple's autofill implementation. Likewise with Enpass; if the flaw exists, the scope of it is only limited to Enpass' browser extension. So far, only Bitwarden has been looked at for this, and in particular, how they implemented it.

If the flaw exists in Apple's implementation of Autofill, then Safari, and any other password manager that uses Apple's autofill would be impacted.

A search of the current open CVEs for anything Apple related doesn't report anything, so you should be okay for now; But just know that if it does show to be a flaw there, by extension (pun intended) anything else that uses that implementation would be impacted until Apple pushes out a fix for it.

BL.
 
  • Like
Reactions: gregmac19
gregmac19 said:
You can self-host with Bitwarden and Strongbox as well.

Codebook works with any browser, although the Autofill feature only works on Safari on macOS. However, the Secret Agent feature of Codebook makes inserting your passwords and other information into any browser, almost as convenient as with Autofill.
Click to expand...

So if I have secret agent then it autofill any browser?
 
bradl said:
Not a flaw, as it is a valid use case, but can be rather dangerous. For users of Bitwarden:

www.bleepingcomputer.com

Bitwarden flaw can let hackers steal passwords using iframes

Bitwarden's credentials autofill feature contains a risky behavior that could allow malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker.
www.bleepingcomputer.com www.bleepingcomputer.com

Again, thankfully it is disabled by default, but still is something that users need to be aware of.

BL.
Click to expand...

who uses iframe to login? I nearly never saw that + how can an attacker adds his iframe into an official website?
 
MacBH928 said:
So if I have secret agent then it autofill any browser?
Click to expand...
It would probably be best if you read the description of Secret Agent, and view a demo of it: https://www.zetetic.net/codebook/secretagent/

Although I don't mind the slight inconvenience of Secret Agent over AutoFill, my guess is that you won't like it.

I know you have used Enpass and have some issues with it, but based on your posts, it seems as it would be the best password manager for your needs. My main issue with Bitwarden is that although you can self host, it is inconvenient to do so with their setup.
 
"How do you know that? They haven’t done anything obviously shady. But you can never know. Recently all personal data of everyone in my country was stolen because of a mistake by an employee of the National tax service. So… It doesn’t even have to be their fault. But they are messing with stuff on your computer they should not. And there isn’t even a need for it. Other products show that it works without root certificate."
Click to expand...


This is the stuff that I have nightmares about when talking about "cloud" password storage system.

I am treading lightly with Bitwarden
 
  • Like
Reactions: johnkree
Still wishing Fireox could talk to Keychain - I'd switch to that setup in a heartbeat, but I don't use Safari as my main browser. :/ So I kludgely self-host/share via Strongbox for my computers.
 
Seems like all who use Chrome, Chromium-based browsers, or Firefox will be forced to upgrade to 1P8 or switch to another manager.

Agilebits wrote:
In the future, Google will stop supporting Manifest V2 in Chrome. Because of this change, in 2023, the 1Password classic extension for Chrome, Firefox, Edge, and Brave will no longer be supported.
Click to expand...
support.1password.com

The 1Password classic extension may no longer work in your browser | 1Password Support

Learn how to set up and use 1Password, troubleshoot problems, and contact support.
support.1password.com support.1password.com
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back