iCloud Keychain vs 1Password

[bradl]

Brad,

I definitely agree with this strategy, as I practice it myself. However, it leaves me feeling a little exposed as my Codebook vault is only on my computer and local backup disk. I'd like to store the vault on the net, but am afraid to do so. Thoughts and/or recommendations?

Thanks,

Greg

What I do, especially with my Enpass vaults (and I'm fortunate enough to have the funds to do it) is that I also own a Synology DS213j NAS (that I'm upgrading to the DS220+). In addition to using an external disk for my TM backups, I also back up my Mac via TM to my NAS, as well as use the DS Cloud feature on it to run my own cloud services through that. So while I can use WiFi Sync to sync my Enpass vault to my PC, iPad, and iPhone, I back up my entire vault to that NAS, and then use Synology's HyperBackup function to back up my NAS to an external disk as well.

This is fairly safe for me, because a NAS is exactly that; a NAS. This unit does have the ability to run internet-facing services (Docker, mail, Apache, Webmin, VPN, etc.), but I am using it as an actual NAS, so it is never exposed to the internet. One would have to be physically on my network to even see it, let alone access it.

For you, if you want to store the vault somewhere, you can achieve at least one level of security by encrypting the vault altogether (which Codebook should already be doing), then when you back it up, it should be contained in a flat file. Encrypt that, then you should be able to store it wherever you want (read: iCloud, Dropbox, etc.). The only caveat to this is that people have stated that they don't care about <insert SaaS here>'s hack/breach, because their data is encrypted; the issue with that is that while the intruder didn't get to the contents of their data, they still had the means to get to and compromise the vault, which is the crux of the matter. So be wary of that; just because your data is safe (your data being the contents of your vault) doesn't mean that your data (the vault or integrity of the files that comprise your vault) is safe.

BL.

 

[fdw777]

I thought the same thing, as I'm using 1PW 6.8.9 on my mid-2011 13" MBA. However, Apple Silicon and the dropping of Rosetta 2 support in newer versions of MacOS is tipping our hand. If I installed 1PW 6.8.9 on my 16" M1 Pro MBP (which I can do via Migration Assistant from a TM backup), Rosetta 2 will install for it to run the Intel binary that 1PW 6.8.9 is. When Apple drops Rosetta 2 support, 1PW 6.8.9 won't work at all on Silicon, so we'd lose it regardless. It was better for me to cut the losses now and find an alternative instead of Apple forcing my hand when that time arises.

BL.

100% agreement. I will ride this 1PW pony as long as I can on my 14" M1 MBP, and keep it running for my iPhone, iPads's, and 2014 Mac mini....For as long as possible.

 

[bradl]

100% agreement. I will ride this 1PW pony as long as I can on my 14" M1 MBP, and keep it running for my iPhone, iPads's, and 2014 Mac mini....For as long as possible.

The good thing here is that it will run forever on Macs and versions of MacOS that will support it. I haven't upgraded my MBA from Sierra, and don't ever intend to. So it will run there as long as the OS can boot. But as far as Apple Silicon goes, when they drop Rosetta, that will mark the end of it.

There's tons of talk of this and people's attempts to at least have AgileBits offer up 1PW 7 to be able to provision that for Standalone again, but AB scoffed at it, going all in on SaaS.

BL.

 

[fdw777]

as well as use the DS Cloud feature on it to run my own cloud services through that.

I thought I was the only one using DS Cloud. Im using Cloud Station Drive Version 4.3.3-4469 and have been using my DS112 since 2012 without failure. It's wonderful having my (our) own Cloud server!

 

[gregmac19]

What I do, especially with my Enpass vaults (and I'm fortunate enough to have the funds to do it) is that I also own a Synology DS213j NAS (that I'm upgrading to the DS220+). In addition to using an external disk for my TM backups, I also back up my Mac via TM to my NAS, as well as use the DS Cloud feature on it to run my own cloud services through that. So while I can use WiFi Sync to sync my Enpass vault to my PC, iPad, and iPhone, I back up my entire vault to that NAS, and then use Synology's HyperBackup function to back up my NAS to an external disk as well.

This is fairly safe for me, because a NAS is exactly that; a NAS. This unit does have the ability to run internet-facing services (Docker, mail, Apache, Webmin, VPN, etc.), but I am using it as an actual NAS, so it is never exposed to the internet. One would have to be physically on my network to even see it, let alone access it.

For you, if you want to store the vault somewhere, you can achieve at least one level of security by encrypting the vault altogether (which Codebook should already be doing), then when you back it up, it should be contained in a flat file. Encrypt that, then you should be able to store it wherever you want (read: iCloud, Dropbox, etc.). The only caveat to this is that people have stated that they don't care about <insert SaaS here>'s hack/breach, because their data is encrypted; the issue with that is that while the intruder didn't get to the contents of their data, they still had the means to get to and compromise the vault, which is the crux of the matter. So be wary of that; just because your data is safe (your data being the contents of your vault) doesn't mean that your data (the vault or integrity of the files that comprise your vault) is safe.

BL.

Thanks for the response, but I assume the NAS, and everything else is at your house. What happens if your house burns down or is otherwise destroyed?

 

[bradl]

Thanks for the response, but I assume the NAS, and everything else is at your house. What happens if your house burns down or is otherwise destroyed?

That is where I have the backups of the NAS come in. They are kept offsite. Should my house go up, I can get in a new NAS, restore the NAS from the backups taken, then restore my Mac from the NAS. This way, my data is covered, and my Mac is doubly covered.

BL.

 

[gregmac19]

That is where I have the backups of the NAS come in. They are kept offsite. Should my house go up, I can get in a new NAS, restore the NAS from the backups taken, then restore my Mac from the NAS. This way, my data is covered, and my Mac is doubly covered.

BL.

I don't know whether you have to physically take the backups offsite, but I would need to. Thus, if my house burned down, I would loss any data I acquired since I last took a backup offsite. Unfortunately, I think I am stuck with storing data online.

Thanks again for your responses!

 

[bradl]

I don't know whether you have to physically take the backups offsite, but I would need to. Thus, if my house burned down, I would loss any data I acquired since I last took a backup offsite. Unfortunately, I think I am stuck with storing data online.

Thanks again for your responses!

I do take my backups offsite. TM backups go to a storage unit I have, while another set of TM backups and the NAS backups go to my parents place.

Obviously, the issue of recursion comes into play, because the same question of what happens if those places burn down could also be asked.

But the same could be asked of any DR site when a disaster hits the primary site. Been there, did that, still doing that.

BL.

 

[svenmany]

I do take my backups offsite. TM backups go to a storage unit I have, while another set of TM backups and the NAS backups go to my parents place.

Obviously, the issue of recursion comes into play, because the same question of what happens if those places burn down could also be asked.

But the same could be asked of any DR site when a disaster hits the primary site. Been there, did that, still doing that.

BL.

How do you feel about the security of your parents place? I suspect it's significantly less secure than a protected data center. If they were robbed you would be in the same position as someone whose 1Password vaults were leaked.

 

[svenmany]

I'm only focusing on your words, "all this talk about the security of the which company one uses is pretty irreleavant", and disagreeing.

That was unnecessarily curt. sorry.

Simple search will show the majority of the largest hacks in recent times focused on employees and vendors with social engineering, not the core software.

Your focus on employees is an important one. But a company's security can help there.

I should have explicitly mentioned the phrase "endpoint security". A company's security, if done well, includes endpoint security. A flaw in a company's endpoint security allowed the recent LastPass hack. It probably gives rise to many hacks of remote workers. Endpoint security offers significant protection when remote workers are the target.

Other things, like employee training, should be part of a company's security practices.

These things are particularly relevant (to me). If I were to learn that Apple or 1Password were careless in these things, I would worry a lot.

 

[bradl]

How do you feel about the security of your parents place? I suspect it's significantly less secure than a protected data center. If they were robbed you would be in the same position as someone whose 1Password vaults were leaked.

I actually feel safe in my parent's place being secure. My father is a LEO. But you have brought up a good point, because it is just as much of a slippery slope as my own place is, in it would also be a single point of failure. But I have seen and dealt with incidents such as my data center's core router going down, effectively shutting down the entire data center, so it isn't any different than not having access to my backups when needed.

What I'll also do is put both sets of data (TM backups and NAS backups) in two separate places and rotate those out so if one set is lost, the other is available. That is a better solution for me, plus doesn't get into any 4A issues that data centers and SaaS providers would have.

BL.

 

[h.gilbert]

Exactly. I have Strongbox, Enpass, Bitwarden, and Minimalist. I am not a the mercy of any company unlike those with 1Passord sub and the like.

You could also just have one password manager and keep regular backups. In the event the password manager fails you can use the export to set it up with a new password manager. At least that's how I think about it. Would rather just one manager and one password than many to keep on top of.

 

[Danfango]

Neither.

Use MacPass (keypass compatible password manager) with the database stored in iCloud and the master password in your head. Vectors:

1. Third party password service compromised -> there isn't one so you're fine.
2. Your iCloud compromised -> still encrypted so you're fine
3. Your kdbx file leaked -> still encrypted so you're fine
4. Lose your iCloud account through phone theft -> you still have access to your password store and the attacker does not so they can't leverage access to other services.

I keep a few things in keychain but nothing I care about.

Oh also importantly:

1. Keep a full backup of your computer, disconnected at home. Done weekly.
2. Keep an irregular backup of your computer, disconnected at a second location. Mine is every 6 months.

That accounts for 99% of risks other than nuclear war or asteroid or you dropping dead at which point you're going to be pretty meh about your data anyway.

 

[bradl]

Neither.

Use MacPass (keypass compatible password manager) with the database stored in iCloud and the master password in your head. Vectors:

1. Third party password service compromised -> there isn't one so you're fine.
2. Your iCloud compromised -> still encrypted so you're fine

Umm.. those 3rd party SaaS providers had their data encrypted. Look at what happened.

3. Your kdbx file leaked -> still encrypted so you're fine
4. Lose your iCloud account through phone theft -> you still have access to your password store and the attacker does not so they can't leverage access to other services.

The issue here is that you would still be dependent on a Cloud service to get access to your data. Should that service go down for any reason or completely go out of business, there goes your data. And since your data resides on their servers, legally, it is THEIR data, and are under no real legal obligation to return that data to you. Finally, having it on that service technically means that you'd lose your right to requiring a warrant to search and seize that data from that 3rd party, as the 3rd party would not be implicated in any issue that requires seizure of your data.

I keep a few things in keychain but nothing I care about.

Oh also importantly:

1. Keep a full backup of your computer, disconnected at home. Done weekly.
2. Keep an irregular backup of your computer, disconnected at a second location. Mine is every 6 months.

This I agree with. But again, nothing I use for backups of my vaults are exposed to the internet, nor ever will be. local backups here to my NAS, backups taken locally and offsite.

That accounts for 99% of risks other than nuclear war or asteroid or you dropping dead at which point you're going to be pretty meh about your data anyway.

Depending on what data you are storing. Most password managers (Bitwarden, 1Password, Enpass, etc.) have the ability to store more than just passwords; they can store PII, PCI, and PHI data. I store all of that in my vault, for my family as well as for myself, so if something happens to me, my family knows how to get to all of that so they don't lose their personal, financial, and health footprints.

BL.

 

[kyussmondo]

I think iCloud Keychain is a solid option for most people in the Apple ecosystem. The iCloud Password Manager is available on Windows now and works well in Chromium-based browsers like Chrome, Edge and Brave. Providing a solid password manager for the average user with support for PassKeys is excellent for security in general. However, you are

If you need something more fully featured, like storing more information, having more control over your password generator and other features, and being able to use it cross-platform, Android, Linux, Windows. Then 1Password and Bitwarden are good options. 1Password has a solid amount of funding, and they will also support FIDO2 / WebAuthn (PassKeys) sometime in early 2023. There are PassKey implementations on Apple, Windows and Android, but they are not cross-platform. Bitwarden is open source and less expensive.

While I hope we can move towards a passwordless future, these secure online vaults will still play an essential part in storing and syncing our private keys between our devices.

 

[bradl]

I think iCloud Keychain is a solid option for most people in the Apple ecosystem. The iCloud Password Manager is available on Windows now and works well in Chromium-based browsers like Chrome, Edge and Brave. Providing a solid password manager for the average user with support for PassKeys is excellent for security in general. However, you are

If you need something more fully featured, like storing more information, having more control over your password generator and other features, and being able to use it cross-platform, Android, Linux, Windows. Then 1Password and Bitwarden are good options. 1Password has a solid amount of funding, and they will also support FIDO2 / WebAuthn (PassKeys) sometime in early 2023. There are PassKey implementations on Apple, Windows and Android, but they are not cross-platform. Bitwarden is open source and less expensive.

While I hope we can move towards a passwordless future, these secure online vaults will still play an essential part in storing and syncing our private keys between our devices.

1Password, while the application is good, has treated its longtime customers rather poorly.

1Password stated that they would always have a standalone client. They reneged on that, forcing everyone to a subscription model.

Since announcing the move to a SaaS, they have given no other alternative means for longtime users to get to the last supported standalone version. 1Password 6 and 1Password 7 are available on their site, yes; however, you can no longer purchase standalone licenses for those versions, which forces you to their subscription model.

When trying to upgrade to that last supported version (1Password 7), when getting to it, your vault is locked into read-only mode until you purchase a subscription, leaving your vault able to be used, but no other data able to be added to your vault.

All of this, due to trying to go Enterprise with said funding, while leaving the user base that supported them and got them to where they are completely in the dark.

Further complicating issues is the fact that while 1Password 7 is a universal binary not requiring Rosetta, 1Password 6 and lower are not, as they are native Intel binaries. When Rosetta 2 gets dropped, everything 1Password 6 and lower will fail to run on any Apple Silicon Mac, forcing those users to have to migrate off of 1Password completely, or purchase a subscription.

For issues already described here as well as many others, having such personal data stored at a SaaS that can have security breaches - especially outside of the users' control - is too high a risk for some users to take, which has forced some of those users to drop 1Password altogether.

In short, sometimes "NEW FEATURES!! NEW FEATURES!!" are not always best; sometimes newer != better.

BL.

 

[svenmany]

All of this, due to trying to go Enterprise with said funding, while leaving the user base that supported them and got them to where they are completely in the dark.

Your speaking for only a portion of their user base. I'd be interested to know how big a portion, but I don't think there's any way to find out.

I am a long time customer, since 2007, and I wasn't treated poorly. For example, I was already subscribed to their service before it became required. And, while I did once fear they might be deprioritizing their non-enterprise users, I've seen no evidence of that. Any funding they received helps their product to my benefit.

But, yeah, it hurts when a company moves on and decides that you're not their target customer anymore. It's particularly painful when you really loved their product. There are people on these forums complaining about it for months on end (maybe even years) on many threads. If 1Password had not been such a great product, people would have just moved on.

I wonder if there are therapists specializing in divorce who would assist with these 1Password issues.

 

[transmaster]

One of the things that I like about BitWarden is how well it integrates with Keychain. You can export your keychain passwords to BitWarden.

 

[jagooch]

I think iCloud Keychain is a solid option for most people in the Apple ecosystem. The iCloud Password Manager is available on Windows now and works well in Chromium-based browsers like Chrome, Edge and Brave. Providing a solid password manager for the average user with support for PassKeys is excellent for security in general. However, you are

If you need something more fully featured, like storing more information, having more control over your password generator and other features, and being able to use it cross-platform, Android, Linux, Windows. Then 1Password and Bitwarden are good options. 1Password has a solid amount of funding, and they will also support FIDO2 / WebAuthn (PassKeys) sometime in early 2023. There are PassKey implementations on Apple, Windows and Android, but they are not cross-platform. Bitwarden is open source and less expensive.

While I hope we can move towards a passwordless future, these secure online vaults will still play an essential part in storing and syncing our private keys between our devices.

Can you access icloud keychain from computers with a different apple id?

Currently I used a 1password on mix of windows and mac computers, on personal and corporate laptops, and it just works.

I’d love a non-subscription alternative that is as easy to set up and use, but I haven’t found one.

 

[bradl]

Can you access icloud keychain from computers with a different apple id?

Currently I used a 1password on mix of windows and mac computers, on personal and corporate laptops, and it just works.

I’d love a non-subscription alternative that is as easy to set up and use, but I haven’t found one.

The closest you may come to for an alternative is Enpass. It isn't as polished as 1Password, but it definitely will suit what you are looking for.

BL.