Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iCloud Keychain vs 1Password
- Thread starter PandaNix
- Start date
- Sort by reaction score
Yep, on the one hand, I am happy that there are people who focus on security rather than the usual game with microtransactions, but on the other hand, we are talking about security and storing information that represents our digital life and beyond. As far as I know, security audit reports are very expensive, and not every small company can afford them.
And here the dilemma arises, it's right that you developer earn (applause to those who have no subscription but a one-time purchase) but if you have no way to certify the security of your app, maybe you could think about making the project open source like Bitwarden.
You increase your visibility and anyone can help improve your product by finding bugs and improving features.
Same as Bitwarden, you charge a low-priced subscription or license purchase to get all the features.
Obviously, this is just my opinion, many might say why trust Apple and Keychain which is close source, it's true, but Apple has enough resources to hire qualified personnel for security development.
If I had to choose between Keychain and Minimalist I'd stick with Keychain, but I'd like to have a mixture of the two, Minimalist's interface and Keychain's security.
Being open source is no evidence that competent eyes are seriously reviewing the security aspects of the code. Audits are much more relevant. I agree, it's a problem that they're expensive.
I read at https://infosec.exchange/@Jwilliams/109586918036144213 the quote "I've also considered crowdfunding a formal audit of Bitwarden...". So that author feels that's missing. I see that Bitwarden did a source code audit in 2021. I took a look and a lot of issues were raised. Bitwarden fixed them during the audit. I would be more confident if they did more regular audits.
I guess one could try to review the pull requests to see if Bitwarden gets any significant benefit related to security by virtue of it being open source. No doubt they do get plenty of benefit related to the general quality of their product as most of the pull requests I see are people suggesting fixes to bugs they are facing or improvements they'd like to see.
Given the new details on the latest hack on LastPass, all this talk about the security of the which company one uses is pretty irreleavant. The attacks focus outside on the employees and vendors. This time a Plex account on an engineers home laptop.
iCloud Keychain works really well for me, plus it handles having multiple accounts on the same site pretty well, if that's something you deal with a lot (like I do on YouTube).
I think it does speak to the security of the LastPass company. They allowed a senior engineer to do sensitive work on a computer where he had installed his own personal software. The engineer should have had his work restricted to company owned, locked-down computer.
Simple search will show the majority of the largest hacks in recent times focused on employees and vendors with social engineering, not the core software. Since the pandemic work from home covers most industries and IT departments. Nice try
I think it like two factor authentication. With Keychain, all you need to open the keychain is your user account password. With 1Password, you need a second factor—the master password.
It is best to have 2 password managers. That way, if one goes down or folds, you don’t have to worry about what you will do. Always have a backup plan in place.
Not sure what you think is a nice try. I think I'll have to try harder to help you understand.
My son works for a national laboratory and he works from home. He been given a computer that's locked down. He cannot install anything on it; all installations are handled by the lab. The computer connects to the lab using a VPN and that's the only network connection he's allowed to have from the computer. The local LAN is off limits to him.
That's the kind of security that LastPass should have had in place on the computer that the engineer was using. So, when evaluating a company that will have access to your data, you should have much less confidence in them if you discover that engineers are allowed such uncontrolled access.
So,
That's not even close to true.
This is where standalone clients come into play: they provide resiliency of that company goes down or folds, because your vaults are not stored with them. They would be stored on your own devices. If 1Password folded, my data would still be considered safe because of my 1Password 6 vaults being in my Mac, and backed up to my NAS. If Enpass folded, the same would apply across my iPhone, iPad, PC, and Mac, as well as those vaults backed up to my NAS.
The problem is that people are now growing blindly dependent on SaaS, and storing that data with them. They are sacrificing autonomy for convenience.
BL.
Exactly. I have Strongbox, Enpass, Bitwarden, and Minimalist. I am not a the mercy of any company unlike those with 1Passord sub and the like.
Yes that why I have 2 password manager since left 1Password. Enpass and Bitwarden.
If the 1Password servers go down, all your passwords are available locally and the app continues to function. Also, it’s very easy to keep local backup exports in two different formats. I keep CSV and their proprietary format backups on an encrypted disk image.
Speaking of keys, Apple should require key authentication anytime the user is attempting to either log in or make a purchase or transfer money. The keys aren't of any help against a thief who got access to the iPhone passcode.
For something sensitive like this, as the spate of hacks LastPass has had as well as Dashlane, I would recommend not putting sensitive data like passwords into a password manager SaaS. This is where standalone clients provide the resiliency of the service not going down or getting breached, plus can still provide the ability to keep data synchronous across devices. 1Password going SaaS only had me dropping them as a customer, especially with leaving no upgrade path to their last standalone version.
Right now, Enpass is working the best for me, as it is the closest currently available to 1Password 6 or 1PW 7; I can keep all of that plus more PII and PCI info secure, all in the same vault, and that entire vault doesn't leave my possession.
BL.
I use both Apple Keychains (since Dot Mac) and 1Password (bought when offered on Apple App Store). I don't pay a subscription for 1PW although Im stuck with version 6.8.9 which works great through out all my devices.
I have no reason to change my PW system.
I have no reason to change my PW system.
Last edited:
I thought the same thing, as I'm using 1PW 6.8.9 on my mid-2011 13" MBA. However, Apple Silicon and the dropping of Rosetta 2 support in newer versions of MacOS is tipping our hand. If I installed 1PW 6.8.9 on my 16" M1 Pro MBP (which I can do via Migration Assistant from a TM backup), Rosetta 2 will install for it to run the Intel binary that 1PW 6.8.9 is. When Apple drops Rosetta 2 support, 1PW 6.8.9 won't work at all on Silicon, so we'd lose it regardless. It was better for me to cut the losses now and find an alternative instead of Apple forcing my hand when that time arises.
BL.
You focus on LastPass for your reasons, given the number of serious breaches, ransomware attacks etc on governments, large and small companies, why single out just one? The world your son works in is different, now if only that world was immune to infiltration.
Brad,
I definitely agree with this strategy, as I practice it myself. However, it leaves me feeling a little exposed as my Codebook vault is only on my computer and local backup disk. I'd like to store the vault on the net, but am afraid to do so. Thoughts and/or recommendations?
Thanks,
Greg
Use sync.com or use cryptomator in a folder in iCloud to store your information.
Ever since Apple allowed 2FA and notes in their password management, I've been using that. I use an Apple secured note for anything else that requires screenshots, etc.
That said, it's probably better/safer to diversify. Say for whatever reason Apple decided to lock me out of my account, I'd be pretty screwed lol.
But for now, I'm 100% Apple so it works for me. I have really adapted to and like safari's password management. I still maintain a keepass database that has my old 1Password export just in case I need to change someday.
That said, it's probably better/safer to diversify. Say for whatever reason Apple decided to lock me out of my account, I'd be pretty screwed lol.
But for now, I'm 100% Apple so it works for me. I have really adapted to and like safari's password management. I still maintain a keepass database that has my old 1Password export just in case I need to change someday.
I'm only focusing on your words, "all this talk about the security of the which company one uses is pretty irreleavant", and disagreeing.