Well written.
At the end of the day, it's a subjective evaluation of the probability that outside experts are diligently reviewing the work and reporting issues. Some think the odds are very high. I don't think they are.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password Remigrant thread
- Thread starter maflynn
- Start date
- Sort by reaction score
At the end of the day, it's a subjective evaluation of the probability that outside experts are diligently reviewing the work and reporting issues. Some think the odds are very high. I don't think they are.
i have no idea on what basis programmers choose the coding language. Lets assume Rust is best for security, why would Bitwarden go with less pleasing TS? In addition, Enpass is written in C++ as it seems.
Rust is somewhat new. 1Password rewrote their app recently and picked a very secure language. And, just guessing, when Bitwarden and Enpass wrote their software they used what they new best.
Been thinking more and more open the open source angle. Let's say I choose some open source manager that others talk about and do a little research to see what that tells me. In my mind I'm comparing what I see to the extreme competence that 1Password shows.
So, I picked Codebook that someone on another thread said they use. Of course the implied advantage of open source is right on their main page.
Their SQLCipher package does seem to be heavily used - 1,200 forks on GitHub. I checked out a couple of the contributors. They seem like pretty serious security people. I can't really comment on how deeply they are involved, but for the most part it seems reassuring.
But, the whole application is not open source. Major vulnerabilities would not be visible to outside people. So I took a look at the people who worked there. They really have just a few developers and their credentials are not mentioned. The only developer that seems to work on cryptography has a job description that reads:
There is no evidence of any independent audits. In the end, even though I don't distrust the product, I have no reason to trust it.
So, I picked Codebook that someone on another thread said they use. Of course the implied advantage of open source is right on their main page.
Their SQLCipher package does seem to be heavily used - 1,200 forks on GitHub. I checked out a couple of the contributors. They seem like pretty serious security people. I can't really comment on how deeply they are involved, but for the most part it seems reassuring.
But, the whole application is not open source. Major vulnerabilities would not be visible to outside people. So I took a look at the people who worked there. They really have just a few developers and their credentials are not mentioned. The only developer that seems to work on cryptography has a job description that reads:
There is no evidence of any independent audits. In the end, even though I don't distrust the product, I have no reason to trust it.
Did you bother to read the history of SQLCipher (https://www.zetetic.net/sqlcipher/about/), and review a partial list of all the companies that Zetetic is a supplier to?:
“SQLCipher was originally developed and is currently maintained by Zetetic LLC. The public release of SQLCipher was released in November, 2008. At first, SQLCipher was solely used as the security backend for our password manager and data vault, Codebook. However, with it's its small footprint and excellent performance, it quickly became a popular security tool, especially for mobile developers. SQLCipher is ideal for protecting application data of all kinds. SQLCipher uses peer-reviewed cryptographic providers and algorithms to ensure that all data in encrypted databases is secured. Simple configuration and good default security practices reduce the burden on developers implementing security solutions. Likewise, broad platform support across iOS, Android, Windows, macOS, and Linux environments, with cross-platform database compatibility, ensures that SQLCipher will work anywhere it's needed. For these reasons, SQLCipher is now one of the most widely used secure database solutions available, protecting data for thousands of applications on hundreds of millions of devices.”
Apparently “protecting data for thousands of applications on hundreds of millions of devices” is just not good enough for you!
Codebook has been around since 1998, when it was called STRIP and ran on the Palm platform. Are you aware of any issues with the software in its 25 year history?
Does 1Password allow you to store your data vault locally and sync via WiFi, which is the most secure way to operate?
Does Zetetic have a reputation for lying to their customers, or is that just 1Password?
Not related to my point. SQLCipher is probably great, but there's a whole application wrapping it which is an unknown.
For example, 1Password is careful to clear the clipboard of passwords after a bit. Does Codebook do that? It's important since websites might be able to grab your clipboard. Maybe they do handle that, but that's the kind of detail that is not in the open source part of things.
I've started investigating KeePass as well. They don't have a visible repository for the source code; the source is shipped in the zip files. So there's no easy way to track its evolution - that's critical to understanding bugs. Someone realized the need for that and made their own GitHub repository from the various source code releases. Do I even trust that person? I give KeePass' open source-ness a failing grade since it would be very hard for the community to even participate.
I don't mean to imply that Codebook and KeePass aren't excellent. My point is that an advertisement of being open source should not inspire confidence until you've checked the details. I've started checking some details.
@maflynn would rather not discuss out of topic but I'll gladly continue this conversation in the 1password migrants thread
Exactly, just because it's open source doesn't automatically make it safer. People hide behind the its FOSS, so its better when the code can be fraught with insecurities.
I'm not saying closed source is better but rather the licensing model is not the guarantor of better security.
Last edited:
Proton finally released their password manager and since I subscribe to their service, I'm considering it, but so far from my initial research, it seems fairly barebones as compared to what other password managers (not just 1Password) offers.
There's no desktop app. I don't see any sort of reporting on weak or compromised passwords. Its still early and it does seem to have a 1PW import process, so I'll update this thread with the results of that.
Overall, I can see this being useful for anyone who's full on invested with proton, and while I use their email and VPN, I'm not 100% invested, that is I'm not a proton fanboy
There's no desktop app. I don't see any sort of reporting on weak or compromised passwords. Its still early and it does seem to have a 1PW import process, so I'll update this thread with the results of that.
Overall, I can see this being useful for anyone who's full on invested with proton, and while I use their email and VPN, I'm not 100% invested, that is I'm not a proton fanboy
One thing that I'm concerned about with proton, is the master password. Its the same password for my email (and vpn). I have a highly complex password for proton, yet that won't be feasible since I need to type that in before using Proton. I currently use 1PW to authentic Proton. So that means using a password that I can remember and type in manually.
1Password offers the higher level of security imo with the use of the secret key. Basically, if I use proton's password manager, then If my password used for my email is compromised, that also means my password manager - I'm not really liking that at all.
Being the 1PW Remigrant thread, I would want any contender to offer something more then what 1PW offers, I'm not seeing that with Proton.
1PW vs. Bitwarden on the other hand - the jury is still out. I'm like 90% sure I'll be sticking with 1PW but as I posted previously I want to switch back to BW and see if I miss anything in 1PW and whether its worth the price
1Password offers the higher level of security imo with the use of the secret key. Basically, if I use proton's password manager, then If my password used for my email is compromised, that also means my password manager - I'm not really liking that at all.
Being the 1PW Remigrant thread, I would want any contender to offer something more then what 1PW offers, I'm not seeing that with Proton.
1PW vs. Bitwarden on the other hand - the jury is still out. I'm like 90% sure I'll be sticking with 1PW but as I posted previously I want to switch back to BW and see if I miss anything in 1PW and whether its worth the price
This right here pretty much settles it for me. Whatever I'm paying for 1Password every year (and it's not a lot), absolutely pales in comparison to the disruption, stress and potential loss associated with having my vault compromised in a hack.
Regarding Electron, I have no issues with the performance of 1Password, but I do wonder about the security of it. Electron has had some security issues in the past, though I don't know the details.
Just as Codebook should be viewed as two separate pieces, the open source piece and the close source piece, 1Password could be viewed analogously, the Rust security piece and the Election user interface piece. Using the same feature I mentioned with respect to Codebook, it seem likely that clipboard handling is part of Electron related code. So, Electron security vulnerabilities do contribute to 1Password's total surface area of risk. I guess that's kind of obvious.
Electron is open source. I'm absolutely certain that any patched Electron vulnerability would be rolled out to 1Password very quickly; they patch so often. But still, it's worth worrying about outsourced code and its can impact on the security of 1Password. On the other hand, I'm not worried about outsourced security libraries that 1Password uses, since they would be maintained far more rigorously.
In my ignorance I think Electron is a concern. I have not researched 1Password's position on this or how they handle it.
Just as Codebook should be viewed as two separate pieces, the open source piece and the close source piece, 1Password could be viewed analogously, the Rust security piece and the Election user interface piece. Using the same feature I mentioned with respect to Codebook, it seem likely that clipboard handling is part of Electron related code. So, Electron security vulnerabilities do contribute to 1Password's total surface area of risk. I guess that's kind of obvious.
Electron is open source. I'm absolutely certain that any patched Electron vulnerability would be rolled out to 1Password very quickly; they patch so often. But still, it's worth worrying about outsourced code and its can impact on the security of 1Password. On the other hand, I'm not worried about outsourced security libraries that 1Password uses, since they would be maintained far more rigorously.
In my ignorance I think Electron is a concern. I have not researched 1Password's position on this or how they handle it.
No question, I'm a subscriber to Proton, and they now have a password manager, but I noticed one major flaw. I sign into the password manager using my proton credentials. Those credentials, use a wildly complex password that 1PW fills in dutifully. Now if I were to use the Proton password manager, I'd need to update the password and manually enter it, which means a passphrase that I can remember. So if my email gets compromised, my password manager is compromised.
With 1PW, it doesn't matter (to a degree) if the password is compromised, without the secret key, there's no way to access my vault.
It's kind of hard to wrap my head around them making such a seriously flawed design decision. It casts doubt about their understanding of the problem space of password managers.
“Not related to my point. SQLCipher is probably great, but there's a whole application wrapping it which is an unknown.”
It absolutely is related to your point! The same people who developed SQLCipher wrote Codebook. They have been developing a password manager for a quarter of a century without any issues, and yet you make comments like, “I have no reason to trust it.” I don’t get your logic.
“For example, 1Password is careful to clear the clipboard of passwords after a bit. Does Codebook do that?”
Yes. From the documentation: “Codebook automatically wipes secrets from the system clipboard after 2 minutes.”
I don’t view Codebook in the same vein as KeePass. Everything in Codebook was created by the same developers, whereas many unrelated folks have had their hands in KeePass. Zetetic is a commercial company in the full time business of creating security products. KeePass is an internet cluster..... I would never use KeePass!
That's incorrect. Check out the committers for SQLCipher. There are people who don't work at Codebook. Check out the people who work at Codebook. They are very young.
Sorry. I can't seem to communicate my point to you. I'll drop it.
I checked out the committers for SGLCipher, and four of the top five are Zetetic employees, including Stephen Lombardo and Nick Parker who are by far the top contributors.
Then, there is this statement on Zetetic’s website: “We are a small company with a wealth of practical experience in applied security. We are the primary developers behind the SQLCipher encrypted database library and Codebook Password Manager.” Thus, I stand by my “The same people who developed SQLCipher wrote Codebook” statement.
I understand you want to drop the subject, and I am more than fine with that.
Unless, of course, you don't keep your vault in some SaaS, thereby eliminating any hack, let alone potential for a hack. Hence, why people would rather have standalone vaults, like what 1Password used to offer. Paying the single price upfront for the permanent use of a standalone vault makes that single cost so much more valuable than paying monthly for something that could potentially be hacked because one is putting their credentials in the trust of someone else.
BL.
Their "terms of use" are not user friendly.Proton finally released their password manager and since I subscribe to their service, I'm considering it, but so far from my initial research, it seems fairly barebones as compared to what other password managers (not just 1Password) offers.
There's no desktop app. I don't see any sort of reporting on weak or compromised passwords. Its still early and it does seem to have a 1PW import process, so I'll update this thread with the results of that.
Overall, I can see this being useful for anyone who's full on invested with proton, and while I use their email and VPN, I'm not 100% invested, that is I'm not a proton fanboy
Yeah, the thing is, I have to live my actual life. I don’t spend all my time on one computer. I also share stuff with my family. I’m fine paying ongoingly for 1Password because they keep it updated and they keep it secure. Works for me.
I don't spend my entire time on one computer, either. I am, however, prior to 1Password 8, able to sync my standalone vault between my MBP, iPad, and iPhone, as well as back up my vault to my NAS (which is not exposed to the Internet), leaving myself safe.
The problem I have with 1Password (which is why I migrated off of it, cutting my losses early due to Rosetta 2 being dropped soon, and going to Apple Silicon over Intel) is that not only are they no longer allowing standalone vaults, but you have to store your vaults on their servers, losing nearly all autonomy in where you can store your data.
All of that, on top of in a year's time, paying more for the service than the standalone license would cost.
Not having my entire time on one computer isn't the problem; lack of autonomy and what I can do with my data (and more importantly, where I can store my data) is. If they had left the provisioning servers up to provision standalone licenses for 1Password 7, I'd jump all over it, since that one is a universal binary, which would survive the loss of Rosetta 2, but they turned those off, leaving no upgrade path for anyone with 1Password 6 and older that does not require a subscription. That left a lot of their users stranded with nothing to do.
BL.
If you're talking about the terms of service (as mentioned in the other 1PW thread), then that doesn't seem all different then any other password manager - at least 1password and bitwarden. I'm not about to search out all of the others.
Last edited: