article says something about gaining cookies and session tokens. Someone who understands this more should give his input
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password migrants thread
- Thread starter MacBH928
- Start date
- Sort by reaction score
article says something about gaining cookies and session tokens. Someone who understands this more should give his input
So I've now tried out two replacements, and I'm disappointed in both so far, for different reasons.
My requirements are perpetual license and file sync of my own.
Tried and purchased Minimalist under Lifetime license. They removed the option for lifetime, so I'm not confident they won't screw me like 1P did - same start anyhow. Minimalist is just too minimal in its UI; there's no organisation and no visual hints. It's clunky, looks dated, and it's not simple to work with categories.
Tried Strongbox. I actually really do like it as a start, but there are no categories. You have to put a lot of custom fields in to be useful. Their free tier is excellent and if all you do is passwords, look no further. It's other things like passports, or credit cards… there's just no support for that. You might get mixed use with the Apple Keychain, but at that point, why?
I'm guessing Strongbox is scrambling a bit to get categories going, but if they do, they're going to be very good.
Anyone I'm missing that does perpetual and self-sync?
My requirements are perpetual license and file sync of my own.
Tried and purchased Minimalist under Lifetime license. They removed the option for lifetime, so I'm not confident they won't screw me like 1P did - same start anyhow. Minimalist is just too minimal in its UI; there's no organisation and no visual hints. It's clunky, looks dated, and it's not simple to work with categories.
Tried Strongbox. I actually really do like it as a start, but there are no categories. You have to put a lot of custom fields in to be useful. Their free tier is excellent and if all you do is passwords, look no further. It's other things like passports, or credit cards… there's just no support for that. You might get mixed use with the Apple Keychain, but at that point, why?
I'm guessing Strongbox is scrambling a bit to get categories going, but if they do, they're going to be very good.
Anyone I'm missing that does perpetual and self-sync?
You have at least these choices left: Codebook, Enpass, eWallet, and Sticky Password.
Edit: I use and like Codebook, but it doesn’t yet support credit cards. They are planning on adding this capability either as an upgrade to the current release (Codebook 4) or in the next major release (Codebook 5).
StickyPassword looks promising, but I don't like that it doesn’t have biometric authentication for MacOS. I contacted the company, and the support person said that this is coming.
Edit2: While it is true that autofill for credit cards is not supported by Codebook on iOS and Android, you can use Codebook’s “Secret Agent” helper application on macOS and Windows to autofill credit card information. I regret this error, which wouldn’t have happened had I read the clear directions more carefully.
Last edited:
you can go for keepassxc but I find the user interface horrific
As far as I know Strongbox and KepassXC use the same file format (Keppass) and the restrictions regarding the fields do come from the file format and not from the applications itself.
And yes, KeepassXC has the worst UI ever and it is barely usable if you put a lot of additional information or multiple usernames and passwords into an entry.
I still think, that 1PW is the best password manager and I would even swallow the subscription because of this, but not having to store my passwords on their servers.
After doing a lot of tests I plan to migrate to Bitwarden, self hosting it using Vaultwarden. But currently I can still use my 1PW 7 perpetual license, which proofs the advantages of this licensing model.
KeePassXC can get lost over this decision:
That's not reasonable. That's lazy.
That's not reasonable. That's lazy.
Disregarding cost for the moment, what are the main reasons for not choosing 1Password 8?
(I realise that "disregarding cost" may be quite a leap for many, but I say this in order to highlight any deficits in functionality and security specifically.)
I myself was worried that, with 1Password 8, my data would be in the cloud, and would therefore be vulnerable to hacking, but apparently this is impossible for anyone who does not possess my secret key, which (if I have this right) never leaves my device.
I was also worried that my data might become 'hostage' if my subscription were to elapse, but it seems that is not the case.
So, what (as I say, price aside), is the main objection to 1Password 8?
(I realise that "disregarding cost" may be quite a leap for many, but I say this in order to highlight any deficits in functionality and security specifically.)
I myself was worried that, with 1Password 8, my data would be in the cloud, and would therefore be vulnerable to hacking, but apparently this is impossible for anyone who does not possess my secret key, which (if I have this right) never leaves my device.
I was also worried that my data might become 'hostage' if my subscription were to elapse, but it seems that is not the case.
So, what (as I say, price aside), is the main objection to 1Password 8?
For me it is storing my passwords in the cloud, I will never ever do that.
In theory you are correct. But developers make mistakes, I am one myself so I should know
And these mistakes could lead to compromising password. Beside that there can always be a fraudulent employee. Not storing them in the cloud adds an other layer of protection.
Beside that I do not see 1PW as a trustworthy company after how they treated their customers.
In theory you are correct. But developers make mistakes, I am one myself so I should know
And these mistakes could lead to compromising password. Beside that there can always be a fraudulent employee. Not storing them in the cloud adds an other layer of protection.Beside that I do not see 1PW as a trustworthy company after how they treated their customers.
Its mind boggling for me why no other password manager is going head-to-head against 1PW. I am no developer so its either too difficult or most are lazy and just created something and want to have re-occuring income from their gold laying goose.
KeePassXC can get lost over this decision:
That's not reasonable. That's lazy.
You know what they say, if its free you CANT complain. ُThis is why I use FOSS software that has a huge user base and preferably business customers so if anything should go wrong every one goes crazy and ring bells.
It has with paranoia:
1) Do you really trust that 1PW is not doing something sneaky behind the scenes?
2) What if the cloud storage gets breached?
===================
"can still sign in to 1Password.com or the apps to view and export your data"
===================
They won't even allow you to manually copy and paste 😂
that and what Alwis said: I do not see them as trustworthy company
-
If you are ok with cost, cloud storage, and trust 1PW you should be ok with using them.
In theory you are correct. But developers make mistakes, I am one myself so I should know
say... then how do people trust banking software and online payments and online storage? I mean I think there are hoards of businesses storing their information in the cloud even if it was their own cloud. Think of all the websites like Amazon and iCloud accounts.
For me, as someone who writes software for a living, the decision of AgileBits to rewrite in Electron is also a factor (on top of the subscription and cloud aspects). Electron is just awful - it's prone to security vulnerabilities (being built on top of Chrome), it eats up far more memory than a native app would, and UIs are (subtly) different to proper Cocoa/Windows/etc.
I'm forced to use Electron apps for work on a Windows PC, such as Slack and some Microsoft Azure tools, and if my laptop's fans start going crazy, then 99% of the time, it's due to me having an Electron app open. Even running Visual Studio is less of a burden. Fortunately Microsoft has seen sense with Teams, and the new version is not Electron-based. I'm obliged to use 1Password 8 for work, as well - I find it clunky and annoying. It's not really a great improvement on version 7.
For me, using Electron to write apps has a distinct whiff of laziness. It does a lot of the work for you, but IMHO the downsides outweigh the upsides.
I do use iCloud and some other cloud storage options.
In iCloud I have no sensitive data, e.g. I do not use iCloud backup. With the other cloud storage providers I do use only German companies, which store the data on servers in Germany and can be sued in Germany, where I am from. More important, I encrypt the data myself before storing it in the cloud.
Banking software is an other thing. I do use MoneyMoney, after carefull research and the web portals of the banks I am customer of. So yes, I have to trust MoneyMoney to some extend, but the maximum damage ist limited to my daily transfer limit. This is further mitigated by the fact, that I allow transfers to other contries only if I have to and disable it after that.
Iliumsoft eWallet is indeed interesting. I've been using it since 1997 (that's 26 years in case you missed math during the lockdown years). Can you imagine that? PalmOS and Blackberry and WindowsCE (oh my!). When a platform goes mainstream, Iliumsoft crosses to it and keeps current, incl. iOS, Mac, Windows and Droid (no eWallet for you 23 Linux desktop users). Can't wait to see how they render eWallet for visionOS. Ha! vOS is never going mainstream at $3500 just to dip a toe. Prove me wrong before a horse gets me. ("Uh, Mister 'Rat, sir, Meta would like a word.").
I can report non-stop reliability with these features:
- The working database stays on-device, encrypted with AES 256.
- I've never had a migration error that put my credential stash at risk. One time, I got spooked, reached out. They replied immediately, to paraphrase: "Don't be a drama queen. Just click it; it'll be fine." I did. It was.
- Security integrates with the device (PW, TouchID, FaceID, CavityProbe.)
- Its "cloud synch" feature uses YOUR cloud drive - Google/DropBox/iCloud/OneDrive. Settings allow synch or overwrite in either direction, auto or manual.
- I do not, will not, trust hosted cloud services to protect data. "Cloud" means it's not your computer, not your storage, your data is not your property, and you waive your rights or sue in court for tortious infractions.
- Cloud app hosting hacks happen ALL the time, to varying degrees. CISA and FBI reporting regulations are vague enough that app hosting services can tap-dance around 90 percent of incidents, especially if they host off-shore.
- When quantum tools get out of the lab, almost no service provider will be prepared for the impacts. One really shouldn't leave your data out of one's sight, waiting for it to happen.
- Of course, Google/DropBox/iCloud/OneDrive have their own attach surfaces. There is no such thing as risk avoidance; best you can do is risk management.
- Peer-to-peer synch works across platforms, auto or manual.
- Cross platform feature parity, and I've used them all, from Palm Pilots to Sonoma and iOS 17 and Win 11.
- Credential records can be exported to new wallet files, or to text, so you can staple it to your will, in case a horse gets you.
- Can auto-enter passwords for web sites, more or less like Apple's Keychain.
- I leave auto-entry to Keychain, manually copy important passwords from keychain to eWallet.
- NO SUBSCRIPTION (so far), no advertising embedded, free demo mode.
- The company is American, with no detectable foreign influence.
I'm old AF and the threatscape changes fast; however, I am borderline literate and I have smarter coworkers who are sympathetic enough to help me sound out the big words... Superficially, the article seems sensible and credible.
According to open-sourced reports, the particular exploit/exfil affected 1PW's "Tech Support" service lane, not specifically the 1PW's actual core credential service lane. 1PW has gotten their a55 handed to them a time or two before, prompting them, one would hope to apply more rigorous architecture. Among the principles involved might be:
- "Separation of Duties" with independent authentication and authorization (A&A) for each lane of operations (i.e., tech support, customer service, marketing, users and security operations).
- Operators in each lane would have just barely enough privileges to get through the workday.
- Each lane would require its own non-overlapping admin credentials that are non-persistent, i.e., elevated to admin privilege only when needed, upon request, validated by conditional access rules (including geolocation + mfa, preferably hardware token), and then demoted immediately after use back to a blocked state.
- All user activity (internal staff and customer users) logs analyzed and correlated in real time for deviation from expected norms.
- Security Operations Center (SOC) on line, 24-7, staffed by skilled hunters (not mouth-breathing, pimply faced noobz) who not only watch reports, but actively seek out exploit attempts.
- Regular compliance audits intended to uncover oversights and highlight areas to improve.
- Coffee. Lots of coffee.
Regardless of how well security products can work, Architecture is critical. For example, if there were only one monolithic A&A directory for all operational lanes, and admin permissions persisted all day... Then a token/session compromise in a tertiary system, such as tech support, might have allowed access to the holy grail - users' decrypted user credential; clearly that's what the hacker was hoping for. But as it happened, 1PW had an effective kill chain in place.
This time.
Trust no one.
Get off my lawn.
You kids and your fancy phones.
I always like trying new apps incase of an emergency and I need to change, and I like to be ready. So the new password manager I am trying (again) is StrongBox.
When I last tried it, I don't remember seeing Google Drove and others to sync. I have it set up for only me right now and I have 3 months for free to play with it. I have 3 vaults right now, 2 are synced though iCloud and 1 synced though Google Drive. The one though Google Drive is my work vault and I am trying to find something that I can use on my Work computer that is for the web browser only (seeing I can't install programs on it). I found KeeWeb and it does the job, but it's not smooth, so I am open to suggestions. If I like this, I might switch everything to Google Drive so I can sync to my Linux computer.
My issue are my inlaws and parents. My kids and wife I think will get use to this, but I need to make it easy for the "old folks".
When I last tried it, I don't remember seeing Google Drove and others to sync. I have it set up for only me right now and I have 3 months for free to play with it. I have 3 vaults right now, 2 are synced though iCloud and 1 synced though Google Drive. The one though Google Drive is my work vault and I am trying to find something that I can use on my Work computer that is for the web browser only (seeing I can't install programs on it). I found KeeWeb and it does the job, but it's not smooth, so I am open to suggestions. If I like this, I might switch everything to Google Drive so I can sync to my Linux computer.
My issue are my inlaws and parents. My kids and wife I think will get use to this, but I need to make it easy for the "old folks".
Last edited:
In theory you are correct. But developers make mistakes, I am one myself so I should know
But if my data remains gibberish on 1Password's servers without my 'secret key', how do mistakes, rogue employers or security breaches constitute risks? My data either does remain indecipherable on their servers without my 'secret key' or it doesn't. I realise I'm taking that fact on trust, but if it's incorrect then everything that 1Password say about that would have to be one big lie, and that's a huge assumption. Is the secret key wholly generated on my device(s) and at every stage unknown to the company's systems?
One thing that puzzles me and gives me pause though, is why they took the decision to keep customers' data on their servers anyway. What is the point of this? They must know that customers by and large feel safer with local vaults, so why not allow them to have them?
1Password must surely read the comments and fears here: why don't they respond?
It's all very confusing to me. I'm using 1Password 7, the last 'local vault' version usable, and I already notice certain glitches (editing requires saving twice to see the edits updated). I really don't know whether I'm being paranoid about all this or whether I'm just being properly careful with my most sensitive data.
For sure they do read those forums... But they don't really answer here. If you want some feedback and support post at reddit - they do have decent support over there.
They used to show up, once in a while, on threads here at MacRumors. Not sure why they stopped...
Too much channels to support.
But they're full in with Reddit. Can understand their strategy.
It's more like what it used to have before it all went wrong, which I suspect is the bone of contention: a great UI, great password-saving and auto-filling functionality in a 'real' macOS app, as well as local vaults synced how the customer prefers. It had just about everything.
Now it's sluggish, "un-Mac" Electron, and mandatorily online vaults (why, no-one seems to know). I mean people are now (including myself) questioning 1Password's honesty and integrity going forward, and understandably looking for alternatives.
I try different password managers all the time. Right now I am trying StrongBox and one big difference I see is sharing multiple vaults with others. In 1Password, it's so easy to make and share vaults, in Strongbox, not as much...
1Password makes it extremely easy for an average person (even my almost 80 year old mom can set it up on her own) to use. I think their UI is probably the best looking as well.
The reason local vaults were removed was due to 1Passwords foray into the business sector. Without local vault compromise etc., businesses would be more willing to sign on. The private sector users are a casualty of 1Passwords new business focus, in my opinion.
There is a very interesting Whitepaper on 1Password security design: https://1passwordstatic.com/files/security/1password-white-paper.pdf
It also tackles your question on the Secret Key.
According to the Whitepaper the Secret Key is generated on-device and never relayed to the company.
As well as your Master Password, which is chosen by yourself and also never relayed to the company.
The encryption key for your vault is then derived mathematically from your Secret Key and your Master Password (two-secret key derivation or 2SKD). The randomly generated Secret Key with a high entropy can partially make up for weak, human-chosen Master Passwords. However, it is wise to make the Master Password as good as possible.
To decrypt your vault, you need all three items: the vault, the Secret Key and the Master Password.
The Secret Key is stored on your authorized devices only, so you just need to remember the Master Password. It is never stored on 1Password's servers.
For authenticating on their servers, they use a process called Secure Remote Password (SRP), which makes it possible to decrypt your vault without ever sending your Secret Key or Master Password over the internet.
So if everything works as expected, if they implemented the process correctly as described in the Whitepaper, if you handle your Secret Key and Master Password correctly and if your device is not compromised, then in theory, there shouldn't be enough information on 1Password's servers to decrypt your vault, even if 1Password's servers are compromised and your vault is stolen.
These are many "ifs", however, and if the system in real life is as secure as described in the Whitepaper, I cannot tell.
There is a lot of trust involved, even though they post reports of external audits online.
I've been a long-time 1Password customer and I find recent developments worrying, however, I am still satisfied with the app (works fine for me on the Mac, even though it is an Electron app) and the service, so for the moment, I am holding on.
Last edited:
I once had a Netatmo device that send my WLAN key unencrypted to the server of the manufacturer. The reason was a forgotten debug statement.
Sure, that was slopy, but these things do happen. Who can guarantee that not some day the secret key, together with the passphrase is transmitted in such a way?
The UI is much better than most other alternatives. E.g. Bitwarden does not allow for custom icons in an entry or for section headings within an entry.