Advanced Data Protection, Apple Notes and 1Password

[slomojoe]

I use an encrypted disk that I put files and folders into and I also use 1Password for some files and notes.

I want to consolidate and make storing sensitive documents, data and passwords more simple.

I started to shift to password protected notes in Notes.

Am I correct in assuming that the need for password protecting notes (in Apple Notes) is no longer necessary (for protection from cloud intrusion, which says nothing about folks with access to my laptop) ? Everything will be encrypted so it makes no sense in encrypting a note that will get end to end to end encryption ?

Also, if I wanted to use a combination of Keychain and Apple Notes, is that effectively equally secure as 1Password in that both systems use e2e and only I have the keys ... 1Password does have the advantage of being secure within the system in that I need a password to open it so someone who got into my MacBook would need the 1Password master password.

I guess I can see that password protecting individual files in Notes does the same thing, adds an extra layer .... assuming I don't use the system password to protect notes which a lot of folks will likely do.

Just trying to figure out the best protocol and where to put everything. 1Password is relatively inexpensive so I don't object to subscribing, I just want something simple and secure.

Ideas appreciated.

 

[TorbenIbsen]

I used 1Password for years on our iPhones, Macs and iPads. Because I stored documents and needed those documents to sync between devices. And 1Password was able to do that to iPhone/iPad while Apple Keychain was not.

Now I only use Apple Keychain and Locked Apple Notes as they now also can synchronize to iPhone/iPad. Simplicity is important in my 2 person home as the elderly non-IT wife uses several of our computers (like identical iMacs on two floors). We move to Apple apps whenever that is a possibility for that reason. - It works well with Locked Notes.

I think that we can trust Apple just as much or more than the non-Apple solutions. Here is an example why: https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

I also think that we should give a thought to what the real security issues are in our local situation. In our case it is "safe enough" to use unique passwords (> 200) and 2FA in all situations where a credit card or other access to money are involved. Plus having "find my" active on all devices. - Robbery and burglary are not high risks where and how we live.

So this is "simple and secure" enough for us. It may not be so for others.

 

[slomojoe]

Right, I like 1password well enough but I want _simple_ so going with as much Apple is the way to go.
Will you turn on Advanced Data protection ?
If you do, I assume you will no longer password protect notes, correct ?

 

[ericg301]

I just switched from last pass to 1password and have been wondering if a locked apple note is a secure place to keep my secret key.

 

[gilby101]

Will you turn on Advanced Data protection ?
If you do, I assume you will no longer password protect notes, correct ?

That depends on your threat model. ADP protects data when it is NOT on your device - and that includes all Notes. A password in Apple Notes also provides protection when the notes are not on your computer - so a duplication. But, as well, a Notes password provides some protection for the notes on your device (e.g. from a nosy friend or family member using your computer).

Personally, I would not bother with a Notes password. Rather, I would put something needing local protection into 1Password.

 

[rhett7660]

I just switched from last pass to 1password and have been wondering if a locked apple note is a secure place to keep my secret key.

I do this... I just have a very looooooooooooong password for that note as well as a different password for my encrypted .dmg files.

 

[steve09090]

And… Lastpass was hacked.

Seriously, what is the point of Lastpass or 1Password when hackers have access to everything. Currently I have

1. a key or FaceID to open my phone,
2. I have FaceID and a key on certain individual notes.
3. I have FaceID on passwords for web etc. through Passwords and Security on my phone.

Why do I need to pay an extra subscription on what is now an insecure password manager?

 

[slomojoe]

And… Lastpass was hacked.

Seriously, what is the point of Lastpass or 1Password when hackers have access to everything. Currently I have

1. a key or FaceID to open my phone,
2. I have FaceID and a key on certain individual notes.
3. I have FaceID on passwords for web etc. through Passwords and Security on my phone.

Why do I need to pay an extra subscription on what is now an insecure password manager

1password was not hacked and offers a more robust set of options than just using Apple keychain, so I think it’s worth the subscription, but in the end we all have to choose the protocols that work best for us

Your setup looks ok especially if you have advanced data protection turned on

 

[steve09090]

1password was not hacked and offers a more robust set of options than just using Apple keychain, so I think it’s worth the subscription, but in the end we all have to choose the protocols that work best for us

Your setup looks ok especially if you have advanced data protection turned on

I’m not sure what this means then.

"LastPass said customer data was significantly compromised after an unknown threat actor copied a cloud-based backup of customer vault data. The information included encrypted passwords, usernames and form-filled data."​

 

[chabig]

I’m not sure what this means then.

"LastPass said customer data was significantly compromised after an unknown threat actor copied a cloud-based backup of customer vault data. The information included encrypted passwords, usernames and form-filled data."​

LastPass was hacked. 1Password was not. And 1Password didn't doesn't do, to anyone's knowledge, the crazy **** that left LastPass data vulnerable.

 

[slomojoe]

I’m not sure what this means then.

"LastPass said customer data was significantly compromised after an unknown threat actor copied a cloud-based backup of customer vault data. The information included encrypted passwords, usernames and form-filled data."​

We are talking about two different companies right?

Last Pass was hacked but not 1password

Also, yes they did get customer data but vaults are still secure even from brute force attacks assuming the use of good quality, robust master passwords

 

[chabig]

As I understand it, 1Password encrypts everything, while LastPass was keeping saved website addresses in unencrypted form, only encrypting the username/password pair–very bad because you can see where people have accounts, and some of the saved URLs contain valuable information themselves in the form of passed parameters.

 

[slomojoe]

As I understand it, 1Password encrypts everything, while LastPass was keeping saved website addresses in unencrypted form, only encrypting the username/password pair.

Sounds right

I think 1password is pretty well run but you never really know until it’s too late

 

[steve09090]

Sounds right

I think 1password is pretty well run but you never really know until it’s too late

That’s the problem isn’t it. No one is immune to this.

As I understand it, 1Password encrypts everything, while LastPass was keeping saved website addresses in unencrypted form, only encrypting the username/password pair–very bad because you can see where people have accounts, and some of the saved URLs contain valuable information themselves in the form of passed parameters.

My understanding is that you are correct. Lastpass are saying that brute force hacking on the passwords assumes they would be safe more or less.

I guess 1Password & Lastpass are both considered the leaders in consumer password safety, and I am wondering what they have to offer over iCloud & Keychain?

 

[cyb3rdud3]

That’s the problem isn’t it. No one is immune to this.


My understanding is that you are correct. Lastpass are saying that brute force hacking on the passwords assumes they would be safe more or less.

I guess 1Password & Lastpass are both considered the leaders in consumer password safety, and I am wondering what they have to offer over iCloud & Keychain?

I would not put Lastpass in the same group as 1Password. Sure the service is the same but the way the product and service is architected and the companies run is very very different. This wasn't the first time either for Lastpass being hacked.

One of the main things they have of iCloud/Keychain (talking about 1Password here) is multi-platform access. I can use it on as good as any device and browser that I want. Not just apple ones. Also multi-factor authentication integration of TOTP codes has been there for a long long time. For a family unit, or even work, there are also options. For example for our family we've got shared vault for streaming services that don't allow multiple individual accounts. Also got a break glass / fracture feature for say when the worst happens to me or to me wife such that we can access each others accounts and deal with situations without ordinarily having to share and sync passwords. The list goes on an on.

The functions inbuilt in apple are a lot better than they were, to me they are useful for non demanding users, but the moment you have a family, or work, or multiple devices and don't just use Apple the others like 1Password or Bitwarden come into their own.

 

[steve09090]

I would not put Lastpass in the same group as 1Password. Sure the service is the same but the way the product and service is architected and the companies run is very very different. This wasn't the first time either for Lastpass being hacked.

One of the main things they have of iCloud/Keychain (talking about 1Password here) is multi-platform access. I can use it on as good as any device and browser that I want. Not just apple ones. Also multi-factor authentication integration of TOTP codes has been there for a long long time. For a family unit, or even work, there are also options. For example for our family we've got shared vault for streaming services that don't allow multiple individual accounts. Also got a break glass / fracture feature for say when the worst happens to me or to me wife such that we can access each others accounts and deal with situations without ordinarily having to share and sync passwords. The list goes on an on.

The functions inbuilt in apple are a lot better than they were, to me they are useful for non demanding users, but the moment you have a family, or work, or multiple devices and don't just use Apple the others like 1Password or Bitwarden come into their own.

That's a really good explanation. Thanks. I'm solely Apple, and I use the usual cross devices (iPhone/iPad/Macbook) so it works perfectly for me. You answered all my questions.

 

[awawiwawa]

I have used 1Password for many years paying the subscription annually, I love how 1Password allows you to manage all your information (passwords, credit cards, single passwords, documents, etc) in a simple way and perfectly synchronized on every device.

Now, having only an iPhone and a Mac, I started transferring everything to Apple services. iCloud Keychain manages passwords, and it's true, it still has few features compared to 1P but with the possibility of keeping 2FA codes and adding notes, in my case it is more than enough.
All other information is on Apple's secure notes. From the support page, your secure notes are end-to-end encrypted.

In the end, it's just a matter of choice, in my case 1P has become quite expensive but I continue to recommend it to friends and family who have never used a password manager before and are looking for something simple and immediate.
For others there is Bitwarden, the annual cost is nothing, it may be more cumbersome at the beginning but it's just a matter of getting used to it.

Whatever your choice, always remember to have at least one external backup copy of all your data. On Reddit, I occasionally find people who have signed out of their iCloud account and can no longer access their passwords, similar for password managers.

 

[slomojoe]

I have used 1Password for many years paying the subscription annually, I love how 1Password allows you to manage all your information (passwords, credit cards, single passwords, documents, etc) in a simple way and perfectly synchronized on every device.

Now, having only an iPhone and a Mac, I started transferring everything to Apple services. iCloud Keychain manages passwords, and it's true, it still has few features compared to 1P but with the possibility of keeping 2FA codes and adding notes, in my case it is more than enough.
All other information is on Apple's secure notes. From the support page, your secure notes are end-to-end encrypted.

In the end, it's just a matter of choice, in my case 1P has become quite expensive but I continue to recommend it to friends and family who have never used a password manager before and are looking for something simple and immediate.
For others there is Bitwarden, the annual cost is nothing, it may be more cumbersome at the beginning but it's just a matter of getting used to it.

Whatever your choice, always remember to have at least one external backup copy of all your data. On Reddit, I occasionally find people who have signed out of their iCloud account and can no longer access their passwords, similar for password managers.

you are correct 1password is robust and keychain is not but it does do the basic stuff quite well, we disagree on cost, based on what I pay for subscriptions yearly, 1password seems very fairly priced

I assume you are using a different password for your Mac and your keychain ... right ?

 

[ignatius345]

And… Lastpass was hacked.

Seriously, what is the point of Lastpass or 1Password when hackers have access to everything.

1Password has much more robust encryption than LastPass, even if it gets breached (which it hasn't). LastPass is a pretty poor option from what I can tell, and I'm very thankful right now I moved on from it years ago.

I'm not a fan of subscriptions, but this is a very high-stakes thing, and 1Password offers a lot of added value over and above security, like well-updated browser plugins, good apps on different platforms, flexible family sharing options.

 

[awawiwawa]

you are correct 1password is robust and keychain is not but it does do the basic stuff quite well, we disagree on cost, based on what I pay for subscriptions yearly, 1password seems very fairly priced

I assume you are using a different password for your Mac and your keychain ... right ?

I agree with you, 1P's price is fair for all the features it offers, just that in my base case I don't need it (for example I love the integration 1P did with ssh key generation on GitHub, but in the end I would only use it once).

Yes, I have two different alphanumeric passwords for Apple ID and devices like iPhone and Mac. Perhaps the only problem is when the iPhone asks me for the password to unlock the face id, and I have to write down the whole password, but it happens quite rarely.

The only things I miss about 1P are: the apple watch app that I often used to see some pins on the fly, a separate "real" app and the global autofill (very nice the 1P one that you can fill in the fields on a desktop app). Also I still don't understand why the keychain app allows you to create secure notes but these are only synced between Macs.

 

[MacBH928]

What are you trying to do? Store passwords? files? or text notes?