Is 1password still worth having....

[blizzforte]

Self-hosted means running your own sync server. Not for the average user....built for orgs that want 100% control. You (or anybody) could run their own server, and never have to worry about Bit Warden being hacked or closing down....but then you would have to secure your own server, not to mention running a 24/7 server!

How could hackers get encrypted PWs from a server? They can't without the key....which only the end-user has.

Could they guess or steal your master password? Yes. Could one of your devices (that is set to automatically connect to BW) be stolen or taken control of? Yes. If your master PW is stolen or guessed, would an attacker have control of all your saved PWs and the entire password app? Yes.

These sorts of breaches are on the end-user, regardless of what system they use. Same problem if you keep your PW in Keychain, on a Word doc, a Sticky note, or something like Evernote.

The best way to prevent theft/access due to physical possession or guessing/stealing your master PW would be to use 2-factor authentication. Less convenient, more secure. 2FA is currently the stongest method to prevent a single PW from being the only thing preventing access, regardless of platform or app choice.

Thanks for the info. Even if you have 2FA enabled, the password is very strong, you don't let your devices get stolen and your passwords are encrypted on their servers. There are still some scenarios I have:

1. The password manager f's up, you can't login, even though you use the correct password. Several users have reported these cases using PW's.

2. Your passwords are encrypted, but hackers manipulate the servers so all your passwords are changed. You no longer have access to your passwords. Or, the servers fail because of a technical issue and changes your passwords. Is this possible?

 

[hobowankenobi]

Thanks for the info. Even if you have 2FA enabled, the password is very strong, you don't let your devices get stolen and your passwords are encrypted on their servers. There are still some scenarios I have:

1. The password manager f's up, you can't login, even though you use the correct password. Several users have reported these cases using PW's.

2. Your passwords are encrypted, but hackers manipulate the servers so all your passwords are changed. You no longer have access to your passwords. Or, the servers fail because of a technical issue and changes your passwords. Is this possible?

#1 - Obviously software—any software—can fail, break or error in some way. I can't speak to other users' errors...I have not experienced any of them. If somebody typo'd the main PW...they are done. No recovery. That is the power of the company not having your password. BW explicitly warns about this. I can't say that is what happened, but it is the most likely scenario. If one lost their PW, forgot their PW, or BW had any issue that caused the PW to not unlock, the results would be the same: locked out forever. That's why reporting and documenting is so critical.

No different than a physical safe. If you forget the PW, or the lock breaks....there is no back door.

#2 - If a hacker gets your master PW, they have complete control, obviously. If servers fail, attackers gain acces, or you otherwise lose access...nothing is stolen or gained by anybody: you lose access to a locked safe. Per most experts, 256 is virtually uncrackable...so access or "hacking the servers" does not grant access to users PWs.

If you don't trust AES 256 is safe...you should not use any PW manager. You should not shop or bank online, and you might consider not using the internet.

 

[blizzforte]

#1 - Obviously software—any software—can fail, break or error in some way. I can't speak to other users' errors...I have not experienced any of them. If somebody typo'd the main PW...they are done. No recovery. That is the power of the company not having your password. BW explicitly warns about this. I can't say that is what happened, but it is the most likely scenario. If one lost their PW, forgot their PW, or BW had any issue that caused the PW to not unlock, the results would be the same: locked out forever. That's why reporting and documenting is so critical.

No different than a physical safe. If you forget the PW, or the lock breaks....there is no back door.

#2 - If a hacker gets your master PW, they have complete control, obviously. If servers fail, attackers gain acces, or you otherwise lose access...nothing is stolen or gained by anybody: you lose access to a locked safe. Per most experts, 256 is virtually uncrackable...so access or "hacking the servers" does not grant access to users PWs.

If you don't trust AES 256 is safe...you should not use any PW manager. You should not shop or bank online, and you might consider not using the internet.

Alright, if I think this through... Better not storing the most important passwords in the manager before having logged in and out several times as practice. That should ensure that you remember it.

I agree with what you’re saying. Hackers gaining access to the servers have nothing to find. However, in my hypothetical scenario, hackers don’t want to gain access to get the passwords. They want to make the server change the passwords. Or the server, by an error, suddenly changes the passwords, and everyone with the PW loose all their passwords. Because they all got changed. Now this is my question. What if THAT happens? The chance that it would happen with exactly the PW you’re using is of course extremely slim. But I want to know if that is possible.

 

[Apple_Robert]

Is it safe though? If something happens with their servers and the sync f's up, all your accounts are gone. Especially if all your accounts sync at once with the servers. Or hackers destroying the servers that do the syncing. I can trust the fact that these managers are great at encryption and ease of use but ease of mind?

I've read so many feedbacks from users of password managers that lost accounts because of syncing issues and that's not even your fault then.

I don't know, the idea is great but if something happens you'll never again get your accounts?

You can locally host your own Bitwarden service.
[automerge]1597263732[/automerge]

I am rocking Bitwarden now. It's solid choice I think. Open source nature keep them from being shady practice which is good and keep transparent.

I like Bitwarden as well. I wish they offered an Apple Watch app.

 

[hobowankenobi]

Alright, if I think this through... Better not storing the most important passwords in the manager before having logged in and out several times as practice. That should ensure that you remember it.

I agree with what you’re saying. Hackers gaining access to the servers have nothing to find. However, in my hypothetical scenario, hackers don’t want to gain access to get the passwords. They want to make the server change the passwords. Or the server, by an error, suddenly changes the passwords, and everyone with the PW loose all their passwords. Because they all got changed. Now this is my question. What if THAT happens? The chance that it would happen with exactly the PW you’re using is of course extremely slim. But I want to know if that is possible.

Totally need to test. I would say the same fo any PW manager. Use it...a lot, with PW that are less important; stuff like credentials to say, this forum. Test it relentlessly to be sure you like and fully understand it before committing to your most important and sensitive.

As for losing access to the sync server, for any reason, including nefarious activities, you still have your PW in your browser plugin, locally on your computer. If I disconnect wifi on my laptop, I can still see my vault. All the stuff is still there. I would expect most would behave the same...though I can't confirm. Add this to your test: disconnect from the internet, and test your access as well as the ability to edit locally on the browser plugin. I have not tried on iOS yet.

 

[blizzforte]

Totally need to test. I would say the same fo any PW manager. Use it...a lot, with PW that are less important; stuff like credentials to say, this forum. Test it relentlessly to be sure you like and fully understand it before committing to your most important and sensitive.

As for losing access to the sync server, for any reason, including nefarious activities, you still have your PW in your browser plugin, locally on your computer. If I disconnect wifi on my laptop, I can still see my vault. All the stuff is still there. I would expect most would behave the same...though I can't confirm. Add this to your test: disconnect from the internet, and test your access as well as the ability to edit locally on the browser plugin. I have not tried on iOS yet.

That’s good to know. In your view it’s not possible for a server issue or hacker to change the encrypted passwords stored on the servers?

 

[hobowankenobi]

That’s good to know. In your view it’s not possible for a server issue or hacker to change the encrypted passwords stored on the servers?

Yes.

The attacker would have to crack 256 encryption for each account to see, much less change, anything. If BW servers got compromised...the attacker would see thousands...perhaps millions of encrypted accounts. That would be like breaking into a warehouse only to find crack-proof safes. They could burn the whole place down, but still not get at the contents.

It's not quite that simple, but cracking 256 is not "hacker" stuff. It's nation-state espionage stuff...and let's face it: If the CIA/NSA/Russians/Chinese throw serious resources at it...maybe tools like BW don't stand up to the attack. But the same could be said of anything/everything. That's not what we (consumers) are really trying to protect against, right?

To be clear, IF, via intrusion to your device, an attacker could either get your master PW (the encryption key), or see your PWs IF your browser was open and IF your BW vault (the browser plugin) was open and logged in...then, the attacker could get your credentials for any/every account, and then log in to each account, and then possibly reset account passwords IF how the accounts allow a PW reset without verification or IF the hacker could verify via your email account, text account, or phone.

That's alot of IFs...that start with a compromised device, not compromised servers. And nearly all those IFs could be removed with good device security OR by using MFA.

 

[blizzforte]

MFA? The solution to all those IF's could just be an antivirus that protects your device from hackers, right? Good AV's prevents things like keyloggers and trojans, right?

And what you said about hackers burning the entire place down while still not getting access to the passwords: They still managed to burn it down, and therefore destroying all the passwords from the users. Is this correct?

 

[hobowankenobi]

MFA? The solution to all those IF's could just be an antivirus that protects your device from hackers, right? Good AV's prevents things like keyloggers and trojans, right?

And what you said about hackers burning the entire place down while still not getting access to the passwords: They still managed to burn it down, and therefore destroying all the passwords from the users. Is this correct?

Multi-Factor Authentication. Yes, good security will always be your best defense. AV has limited value on Macs...but that is another topic.

When you lose access to the sync servers, you can't sync. If you have your PWs on your local machine, you still have them. Your PWs don't only live on the sync servers. And that's before you export your vault and print the list. They have a nice CSV export, so you have a simple table of everything.

Seems like you may be overthinking this. Why not dive in and test with non-essential PWs? You can prove to yourself exactly what access you have, and if you are comfortable with it.

 

[blizzforte]

Multi-Factor Authentication. Yes, good security will always be your best defense. AV has limited value on Macs...but that is another topic.

When you lose access to the sync servers, you can't sync. If you have your PWs on your local machine, you still have them. Your PWs don't only live on the sync servers. And that's before you export your vault and print the list. They have a nice CSV export, so you have a simple table of everything.

Seems like you may be overthinking this. Why not dive in and test with non-essential PWs? You can prove to yourself exactly what access you have, and if you are comfortable with it.

I actually overthought this. I figured that even if the passwords are changed, they're only changed on the servers and not on the actual websites they're used on. So they would still work.

Yeah, that sounds good.

 

[tdbrown75]

The attacker would have to crack 256 encryption for each account to see, much less change, anything. If BW servers got compromised...the attacker would see thousands...perhaps millions of encrypted accounts. That would be like breaking into a warehouse only to find crack-proof safes. They could burn the whole place down, but still not get at the contents.

It's not quite that simple, but cracking 256 is not "hacker" stuff. It's nation-state espionage stuff...and let's face it: If the CIA/NSA/Russians/Chinese throw serious resources at it...maybe tools like BW don't stand up to the attack. But the same could be said of anything/everything. That's not what we (consumers) are really trying to protect against, right?

To be clear, IF, via intrusion to your device, an attacker could either get your master PW (the encryption key), or see your PWs IF your browser was open and IF your BW vault (the browser plugin) was open and logged in...then, the attacker could get your credentials for any/every account, and then log in to each account, and then possibly reset account passwords IF how the accounts allow a PW reset without verification or IF the hacker could verify via your email account, text account, or phone.

That's alot of IFs...that start with a compromised device, not compromised servers. And nearly all those IFs could be removed with good device security OR by using MFA.

It could still happen. This is why I use the same username and password for all of my accounts. Much easier to remember, no password program to hack, and I can simply refer to the post-it on my monitor if I ever forget my password. If I'm away, I simply slide it under the keyboard for an extra layer of security. 😜

Tim

 

[hobowankenobi]

It could still happen. This is why I use the same username and password for all of my accounts. Much easier to remember, no password program to hack, and I can simply refer to the post-it on my monitor if I ever forget my password. If I'm away, I simply slide it under the keyboard for an extra layer of security. 😜

Tim

No doubt that is easiest. The concern with that is, attackers expect this. If any account gets compromised ( even something low risk to you, like say your Netflix account), the attacker immediately tries those same credentials on every possible site, including banking and shopping.

That very real risk is exactly what leads to PW managers, and this thread.

If you want to know if any of your existing accounts were ever compromised, you can check here: https://monitor.firefox.com
...If one account does get compromised, best practice is to change the PW on every account that used that PW...so that means every account! That gets old really fast...which again brings us back to how to use a PW manager to prevent this risk.

Good overview of PW threats here.

As for "It could still happen"....sure, anything is possible. The qustion is how possible? What is the risk?

In security, generally speaking, the goal is to secure against the most likely (biggest threat) first. Having your credentials stolen from an unsecured server is very likely. It has already happened numerous times. 256 have never been cracked...yet). So recycling PWs is exponentially more risky than storing unique PW on that are encrypted before transit and at rest on a sync server.

 

[akbadwolf]

I would urge caution. I have it. It can be handy. I still use it but it bit me. I have the cross platform version. Somewhere, somehow it downgraded(for lack of a better word) all my passwords to a older time of several months back. I had to go and reset everything. Just more of a annoyance and time consuming. Luckily I had a old just recently retired Iphone that was turned off that I could recover the passwords. I worked with 1Password support. They kept asking for dumps from the different devices. They gave up. Never could identify the problem. I suspect it had something to do with the cross platform option because I had just recently bought into that option after using the stand alone version for a year or two. I recommend keeping a backup of your passwords in a password(haa) protected file, but that sort of defeats one of the main goals of the utility.

 

[hobowankenobi]

I would urge caution. I have it. It can be handy. I still use it but it bit me. I have the cross platform version. Somewhere, somehow it downgraded(for lack of a better word) all my passwords to a older time of several months back. I had to go and reset everything. Just more of a annoyance and time consuming. Luckily I had a old just recently retired Iphone that was turned off that I could recover the passwords. I worked with 1Password support. They kept asking for dumps from the different devices. They gave up. Never could identify the problem. I suspect it had something to do with the cross platform option because I had just recently bought into that option after using the stand alone version for a year or two. I recommend keeping a backup of your passwords in a password(haa) protected file, but that sort of defeats one of the main goals of the utility.

That stinks. Sounds like the syncing broke, and something somewhere (device, server, etc) had an older set, and then pushed the older PWs out to sync. Could be the move from stand-alone to sync'd failed to update the correct way.

This is a good (hopefully very rare) example of why physical possession is very important, regardless of the method or tool. I always export and print the full vault (list) after any PW changes or updates. Very easy in Bit Warden, hopefully, all the other competitors have a similar function too.

 

[blizzforte]

Now I've heard people say that you should backup your vault in an encrypted place. But you can't actually see all your stuff without the app or software. So what if you backup your vault, but in the meantime the servers gets deleted or they're out of business and you can't find the app anywhere anymore to actually import all your stuff and see it. Sure you could get another PW and import your vault there but what if you got no internet, all your devices with your app are gone and you got no internet to download any new PW?

There are so many risks involved thinking about it. But perhaps it's still better than just having 1 good password for everything? Sure that's dangerous if someone gets it but at least you'll always have access to it and you don't need any extra software.

 

[hobowankenobi]

Once you have your vault setup, export it. Easy peasy.

If you don't need it electronic, print it and delete the file from computer.
Save it to a flash drive and file it, and delete the file from computer.
Save it in an encrypted disk image via Disk Utility. Save the PW in your files with the printed copy of your vault.

All easy, takes not other software, and not really a problem with PW managers...a general problem of what to do with things that need to be secured if a computer was fully compromised or stolen.

 

[blizzforte]

Once you have your vault setup, export it. Easy peasy.

If you don't need it electronic, print it and delete the file from computer.
Save it to a flash drive and file it, and delete the file from computer.
Save it in an encrypted disk image via Disk Utility. Save the PW in your files with the printed copy of your vault.

All easy, takes not other software, and not really a problem with PW managers...a general problem of what to do with things that need to be secured if a computer was fully compromised or stolen.

The exported vault is a .json document but opening it doesn't show all the info stored in the vault. For that it has to be imported to another PW manager. Or are you talking about storing the .json file together with the .exe installation file of the PW manager?

 

[hobowankenobi]

The exported vault is a .json document but opening it doesn't show all the info stored in the vault. For that it has to be imported to another PW manager. Or are you talking about storing the .json file together with the .exe installation file of the PW manager?

That's the default...you can change to CSV. I prefer the archive to not be an executable.

 

[Ulenspiegel]

For some it is, for some it is not.
As I distance myself from subscription based apps, I prefer another password manager.

 

[Apple_Robert]

I would urge caution. I have it. It can be handy. I still use it but it bit me. I have the cross platform version. Somewhere, somehow it downgraded(for lack of a better word) all my passwords to a older time of several months back. I had to go and reset everything. Just more of a annoyance and time consuming. Luckily I had a old just recently retired Iphone that was turned off that I could recover the passwords. I worked with 1Password support. They kept asking for dumps from the different devices. They gave up. Never could identify the problem. I suspect it had something to do with the cross platform option because I had just recently bought into that option after using the stand alone version for a year or two. I recommend keeping a backup of your passwords in a password(haa) protected file, but that sort of defeats one of the main goals of the utility.

I use 1Password, Bitwarden, Enpass, and LastPass. 1Password is my main use program. I use Enpass for the Apple Watch because 1Password only shows username and password, whereas Enpass shows all that and any additional notes for the account like security questions etc. Bitwarden gets some use but it mainly used for a backup along with LastPass, which also shows more than the username and password on the Apple Watch.

 

[Puonti]

...but what if you got no internet, all your devices with your app are gone and you got no internet to download any new PW?

Well, at that point even if you had all your passwords written down on paper what good would they be? Presumably they are for online services that require... internet connection.

 

[WorldIRC]

1Password X Beta just had desktop integration temporarily removed. This means no more Touch ID integration for the Browser Extension (if you want inline Browser Autofill in browsers that are not Safari).

They claim the change is temporary as they work to improving that capability (desktop integration) and making it more cross platform.

Too bad. I really liked that functionality. Hopefully the wait isn't too long.

 

[kurzz]

I see it this way - 1password is $360 for 10 years.

 

[chinchillas]

I have been with 1Password since it first came out. The years that they offered free or reduced upgrades were nice and doable. The subscription had me comparing the competition - Lastpass, keepass (different versions), got sticky password in a bundle, but finally found and have been sticking with Bitwarden for the last 9 months.

It works really well on all devices. It's free, with whatever devices, but I upgraded to the Family Sharing for only $12 a year to give them some support. Their premium is only $10 a year. Great values especially with how well it works.

Hi, is it possible to export all of my LastPass passwords/notes to Bitwarden? Also, is BitWarden propietary software?

 

[chinchillas]

1Password X Beta just had desktop integration temporarily removed. This means no more Touch ID integration for the Browser Extension (if you want inline Browser Autofill in browsers that are not Safari).

They claim the change is temporary as they work to improving that capability (desktop integration) and making it more cross platform.

Too bad. I really liked that functionality. Hopefully the wait isn't too long.

This is very weird because sometimes autofill works for me on chrome, when I’m on the website, I simply click on the lastpass icon on top of the computer and it autofills, but if I go to the lastpass app and click on launch site, it opens safari, which I don’t use. 🤔
edited: sorry, thought you were mentioning lastpass. But it does what I mentioned.