Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
If you want an excellent password manager without the subscription fee, I highly recommend Strongbox. It is much better than LP, it rivals 1Password in features and UI, and the free option is probably more than enough for most people. If you want to be able to unlock with your watch and a few other features, they offer a one time payment, which is what I did and I have't regretted the move from 1Password, which ends in January.


Strongbox has a better privacy policy than 1Password and better security.
Why do you make that claim regarding Strongbox security? Do you know of a third-party audit, or have you reviewed the code?

I'm a current user of 1Password, and the reason I use them is due to trust. But I really have nothing to go on other than a rudimentary review of the company and what documents are made available. To me, features are secondary. I want the most secure password vault as I store it in the cloud. I'll move away from 1Password if I found one that deserves more trust.
 
KeePassX is free and not cloud based - also Dashlane is great. In the past both 1password and last pass being cloud based have had some security issues and one of them may have even been breached at one point.
 
I switched to Bitwarden in the end, 1password wasn't "it" for me (not bad, but I see little benefit over cheaper bitwarden).
 
  • Like
Reactions: macuros
Why do you make that claim regarding Strongbox security? Do you know of a third-party audit, or have you reviewed the code?

I'm a current user of 1Password, and the reason I use them is due to trust. But I really have nothing to go on other than a rudimentary review of the company and what documents are made available. To me, features are secondary. I want the most secure password vault as I store it in the cloud. I'll move away from 1Password if I found one that deserves more trust.
As you know, a full audit has not been done; only a partial one. The privacy policy for Strongbox is much better than 1Password, in my opinion.

No data leaves Strongbox (to a supported cloud for syncing) unless the user enables the feature or enables some of the "pro" features, which again, is better than the 1Password subscription model, in my opinion.

If you haven't already, read some of the security FAQ on Strongbox.


The code for Strongbox is open source and anyone can do a full audit. I am guessing the Developer hasn't done such thus far, because he is a one man show.

I don't believe I have said anything that has been inaccurate about Strongbox. It does have security that does rival 1Password, in my opinion.

If you want to continue to disagree, that is fine.

1Password is a fine product but, I see no point in paying for a subscription where I can't have full control of my data. I also prefer the fact that Strongbox is open source and also has a solid privacy policy. I stand by what I said previously.

I also think Bitwarden is an excellent product. It has been audited and is open source as well. And no data has to leave the device, unless the user specifically enables the feature for syncing etc and certain extra features like watch unlock etc.

I am not sure why you have a problem with what I posted.
 
I think StrongBox is based on same open source as KeePass - which I’ve used for over a decade. It is still getting updates as it did yesterday. So I think common code base is a strong selling point.
 
As you know, a full audit has not been done; only a partial one. The privacy policy for Strongbox is much better than 1Password, in my opinion.

No data leaves Strongbox (to a supported cloud for syncing) unless the user enables the feature or enables some of the "pro" features, which again, is better than the 1Password subscription model, in my opinion.

If you haven't already, read some of the security FAQ on Strongbox.


The code for Strongbox is open source and anyone can do a full audit. I am guessing the Developer hasn't done such thus far, because he is a one man show.

I don't believe I have said anything that has been inaccurate about Strongbox. It does have security that does rival 1Password, in my opinion.

If you want to continue to disagree, that is fine.

1Password is a fine product but, I see no point in paying for a subscription where I can't have full control of my data. I also prefer the fact that Strongbox is open source and also has a solid privacy policy. I stand by what I said previously.

I also think Bitwarden is an excellent product. It has been audited and is open source as well. And no data has to leave the device, unless the user specifically enables the feature for syncing etc and certain extra features like watch unlock etc.

I am not sure why you have a problem with what I posted.
Sorry if I wasn’t clear. I wasn’t disagreeing so much as inquiring if you had some info that I wasn’t aware of.

That said, I do tend to trust open source more than closed software, in many cases. I just don’t have the ability to review the code myself for something as complex as a password manager.

I own the latest 1 Password version and host the password database on iCloud, not 1Passwords server, so I do have full control of it, or at least 1Password does not.

One thing that does make me a bit skeptical of Strongbox is that it is a single developer. Maybe that is a plus, or it could be a negative, depending on how skilled he is.
 
Sorry if I wasn’t clear. I wasn’t disagreeing so much as inquiring if you had some info that I wasn’t aware of.

That said, I do tend to trust open source more than closed software, in many cases. I just don’t have the ability to review the code myself for something as complex as a password manager.

I own the latest 1 Password version and host the password database on iCloud, not 1Passwords server, so I do have full control of it, or at least 1Password does not.

One thing that does make me a bit skeptical of Strongbox is that it is a single developer. Maybe that is a plus, or it could be a negative, depending on how skilled he is.
Thanks for clarifying.

Valid point about the developer. He has been very attentive when I have contacted him.

As far as I can ascertain, Strongbox is as strong as current technology allows within the Apple system. And for me, that is comforting.

I am confident in saying, that there is no way any person could get inside my Strongbox app on iOS or Mac. It would take more lifetimes than we both can imagine, and that is with numerous computers, not to mention, if someone l(like a family member etc.) got a hold of one of my devices and got curious, they would have to not only get through the master password, they would also have to get through the long PIN code. And if that doesn't seem like enough to some reading, a person would also have to get past my double blind password process. That means, if a person were to see my password for MR (for instance) and tried to log in as me with the credentials seen, it still would not work, because the password would be missing the crucial input that completes the password and has not been saved in Strongbox, 1Password, Bitwarden, or any other manager.

I asked 1Password for years to please institute a required backup method to the master password.

I also like the fact that I don't have to access the internet, in order to change account settings like you do with 1Password (re: master password).

It a good thing you are keeping everything on your devices so long as you have multiple backups. Bitwarden also allows for self-hosting although I haven't tried that option, yet.

 
  • Like
Reactions: planteater
KeePassXC is by far the best port of KeePass for macOS.

Multiplatform origin (KeePass), mutiplatform file format of KeePass, fully free, fully documented, open source [which is essential for getting peer review of the cryptography (1)]. What more could one want ?


You can easily store the password safe in icloud, of Google Drive etc. it's all quite simple to do.
Plugins for browsers also exist if you don't want to cut&paste the passwords yourself.

More KeePass implementations for other platforms than the mac:

(1):
As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; we have for decades. Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. For us, open source isn't just a business model; it's smart engineering practice.
Bruce Schneier, Crypto-Gram 1999-09-15.
 
Last edited:
  • Like
Reactions: IowaLynn
KeePassXC is by far the best port of KeePass for macOS.

Multiplatform origin (KeePass), mutiplatform file format of KeePass, fully free, fully documented, open source [which is essential for getting peer review of the cryptography (1)]. What more could one want ?


You can easily store the password safe in icloud, of Google Drive etc. it's all quite simple to do.
Plugins for browsers also exist if you don't want to cut&paste the passwords yourself.

More KeePass implementations for other platforms than the mac:

(1):
Just installed the Windows client - looks polished and of course picked up my KeePass2 file.
 
Just installed the Windows client - looks polished and of course picked up my KeePass2 file.
If you need an implementation for an iPhone or iPad:
Kypass is pretty good (not free unfortunately)
 
Last edited:
If you need an implementation for an iPhone or iPad:
Kypass is pretty good (not free unfortunately)
Pricing looks reasonable for both platforms looks reasonable.
 
With Keychain, there is no editing outside of the username and password. Keychain doesn't always work like it should. And if Keychain gets a glitch and doesn't work at all or you suddenly find your information for some websites is gone, you are in big trouble. Keychain doesn't inform you of data breaches that I recall. It doesn't allow you to store other sensitive information.
iCloud Keychain does inform you of security breaches and weak passwords, but you have to do some digging.

On iOS, go to Settings > Passwords > Security Recommendations. In that section, it will show you High Priority passwords that you should change if the password has appeared in a data leak. It also warns you of reused passwords and easily guessed passwords.

It would be nice if Apple would turn this into an actual full featured app that we could store other information in, but I guess that's not happening anytime soon.
 
Hi, mind expanding on that? :)


In my opinion, Strongbox is better because the sensitive data remains on your device and is not transmitted to the developer or stored on any company servers. The only time data would not stay on your device is if you chose to use iCloud or another supported cloud service. At that point, privacy is then between you and the respective cloud service.

Strongbox does not have access to your data at any time.

While data is encrypted with 1Password, the data is stored on servers in the EU, which I do not like. I also do not like that the data servers have to be serviced by authorized personnel from a third party, even though the data is (supposedly) encrypted.

"Your Secure and Service data are held by third party data processors, who provide us with hosting and other infrastructure services. The locations of these are described above. In many cases (but we cannot promise that this will always be the case) even Service data held by these entities is encrypted with keys held only by us."
 


In my opinion, Strongbox is better because the sensitive data remains on your device and is not transmitted to the developer or stored on any company servers. The only time data would not stay on your device is if you chose to use iCloud or another supported cloud service. At that point, privacy is then between you and the respective cloud service.

Strongbox does not have access to your data at any time.

While data is encrypted with 1Password, the data is stored on servers in the EU, which I do not like. I also do not like that the data servers have to be serviced by authorized personnel from a third party, even though the data is (supposedly) encrypted.

"Your Secure and Service data are held by third party data processors, who provide us with hosting and other infrastructure services. The locations of these are described above. In many cases (but we cannot promise that this will always be the case) even Service data held by these entities is encrypted with keys held only by us."
1Password only stores your information in the EU if your using 1Password.eu, and that’s to comply with EU data regulations. If you sign up at 1Password.com or .ca, the servers are in North America.

Also, when they say your data is held by a third-party, that’s because they use Amazon Web Services for their servers.

Accounts on:Billed in:Secure data hosted in:Service data restricted to:
1Password.com🇺🇸 USDUnited States1Password staff
1Password.ca🇨🇦 CADCanada1Password staff in EU or Canada
1Password.eu🇪🇺 EUREuropean Union1Password staff in EU or Canada
 
Do you have any information to support the inference that the data is not encrypted while in 1Password control?
I put supposedly in parenthesis because I can’t personally confirm that it is or isn’t. There are many here who like to quibble over every single syllable so, I did that as a means to stop replies saying, how do you know it is etc. with your reply, that obviously didn’t work.
 
Do you have any information to support the inference that the data is not encrypted while in 1Password control?

I put supposedly in parenthesis because I can’t personally confirm that it is or isn’t. There are many here who like to quibble over every single syllable so, I did that as a means to stop replies saying, how do you know it is etc. with your reply, that obviously didn’t work.
1Password data is encrypted on your device by your master password, so yes, the data is encrypted when it's on the servers used by 1Password. Only your master password can unlock the data.

 
  • Like
Reactions: mailbuoy
I've been subscribed to 1Password for a few years, it could be cheaper but I don't really mind. Their apps are great on all platforms, although after migrating to the new Air I wish they were quicker with an Apple Silicon version.

How do you like macOS apps of other services?
 
One thing I currently dislike about Bitwarden (but it seems to be a "limitation" of Firefox, rather than Bitwarden's fault) is that the vault in Firefox extension won't lock on system sleep. It works in Chrome but not in Firefox allegedly because the latter won't allow access to certain API or something like that. Which is pretty much a deal breaker for me currently. 1P on the other hand will lock nicely when I put my Mac to sleep...

Folks at 1P were generous enough and offered me 1-yr free subscription for upgrading from 1P6 to 1P7, so I'll take that and hopefully a year from now something will have changed regarding the above shortcoming in Firefox.
 
Last edited:
Haven't tried 1lastpass. But I've been using lastpass for 2years but need to change to keeper. Not sure though if you can download it on your mac.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.