1Password migrants thread

[maflynn]

I think there is a confusion. People prefer FOSS for privacy reasons.

I think you're mistaken. Just googling why use open source software and the results have a lot of information about security and very little about privacy. I don't think open source is inherently more private then closed source software. Yes there the community has some privacy minded leanings, but that won't stop any given open source project from leveraging and selling user data

Google's AI generated answer doesn't mention privacy at all

Most of the links I found on the front page of google fail top mention privacy at all. Seems like people in justifying open source and talking about open source don't seem to mention privacy as a major reason

 

[eltoslightfoot]

Yeah, I found the UI and UX of bitwarden to be a bit of a bummer. While cheaper (free) then 1PW, I find the intangibles of 1PW to tip the scales in its favor. Not just UI/UX but also the fact that it uses the secret key which increases the security and safety of my data.


Is the data encrypted as its transmitted? Seems like relying on wifi syncing is riskier then relying on storing data on a provider that has no direct way to unencrypt your data.

It certainly appears that it is encrypted. Here is more information:

Wi-Fi Sync Server — Enpass Security Whitepaper documentation

 

[Apple_Robert]

That is definitely a good alternative, but I have to buy it so for now sticking with Enpass...also, I would have to find a Keepass client for Windows (again not a big deal).

Strongbox offers a free version. And if you wanted to test the Pro version, it would cost you $3 for a month. I think that is very reasonable. I have been using Strongbox for several years and I think it is just as good as 1Password was.

Compare Features - Strongbox

🎄 🎄 Compare Features View the full feature list for iOS and MacOS, Free and Pro. iOS Yearly, Monthly and Lifetime purchase options available. Strongbox requires a minimum of iOS 14.0 or macOS 11.0 MacOS

strongboxsafe.com

 

[toasted ICT]

For some odd reason, Enpass for me always fail Wifi sync and I do not know the reason. I have to delete the vault on iOS and resync from desktop

Strongbox has good WiFi Sync. Might be worth trying it out. Its a Strongbox Pro feature but they have a free trial.

Strongbox uses Zero Configuration Networking for device discovery. For networking Transport Layer Security (TLS) with a Pre Shared Key (PSK). In addition, databases are always transferred in their encrypted file format (e.g. KeePass KDBX or Password Safe PSAFE3). Master passwords or other credentials are never transferred over the network. Database metadata like the nickname, size and modified date of your databases are sent in encrypted JSON format protected by TLS-PSK.

$3 per month or $20 per year (with 3 month free trial) or $90 lifetime purchase. I was happy to spend the money on a lifetime license. After all I use it to keep all my passwords and secure notes. And I do not want to put my data on a developers honeypot target server.

 

[toasted ICT]

I would switch to strongbox if it had the mini-assistant. So for only 1password and Enpass has it.

For the mini assistant to operate Enpass app must be running and you need to use the Enpass extension in your browser. Then the Enpass Assistant lets you do the autofill using the browser extension and basic functions like searching and viewing items, edit existing items, copying information, generating passwords,etc

Strongbox uses the Apple native built in AutoFill .... a feature I appreciate.

While there is no 'mini assistant' this does not stop you being able to fill data in the browser, and better still, there is no additional security threat vector.... If you use Strongbox on Safari on Mac, iPhone or iPad the advantage is no browser extension is needed or used.

A cursory search "In 2020, 106 browser extensions were removed from the Chrome Web Store, being used to steal user data, take screen captures or even steal credit card information from web forms" and another Article here

Just something to consider.

 

[MacBH928]

I'm not sure that's why people prefer open source software. I don't think there is any greater privacy in open source versus closed source (unless you read the code and understand it fully).

I don't really know the people behind open source projects. They are usually just accounts on Github. I have a bit more confidence in, say, 1Password, where they show everyone's picture on their website with a short bio. https://1password.com/company

I think you're mistaken. Just googling why use open source software and the results have a lot of information about security and very little about privacy. I don't think open source is inherently more private then closed source software. Yes there the community has some privacy minded leanings, but that won't stop any given open source project from leveraging and selling user data

Google's AI generated answer doesn't mention privacy at all

View attachment 2369505

Most of the links I found on the front page of google fail top mention privacy at all. Seems like people in justifying open source and talking about open source don't seem to mention privacy as a major reason
View attachment 2369506

You may not have roamed the world of online privacy, but FOSS is exclusively prefered due to the fact that you can always check whats going on the background. In a proprietary app, you do not know whats collected behind closed doors.

Check recommendations, almost exclusively FOSS. Even service providers publish some/all of their software on Github

The Best Privacy Tools, Services, and Ad-Free Recommendations - Privacy Guides

Privacy Guides is the most transparent and reliable website for finding software, apps, and services that protect your personal data from mass surveillance programs and other internet threats.

www.privacyguides.org

Best Privacy Tools & Software Guide in in 2024

The most reliable website for privacy tools since 2015. Software, services, apps and privacy guides to fight surveillance with encryption for better internet privacy.

www.privacytools.io

Some privacy centered service providers:

ProtonVPN

ProtonVPN has 31 repositories available. Follow their code on GitHub.

github.com

Mullvad VPN

Privacy is a universal right. Mullvad VPN has 97 repositories available. Follow their code on GitHub.

github.com

Tutao GmbH

Developers of Tuta - Hiring. Tutao GmbH has 14 repositories available. Follow their code on GitHub.

github.com

Yeah, I found the UI and UX of bitwarden to be a bit of a bummer. While cheaper (free) then 1PW, I find the intangibles of 1PW to tip the scales in its favor. Not just UI/UX but also the fact that it uses the secret key which increases the security and safety of my data.

Bitwarden is ugly but after using it for sometime I kind of stopped noticing it. Yes, 1password is more of an eye candy.

Strongbox offers a free version. And if you wanted to test the Pro version, it would cost you $3 for a month. I think that is very reasonable. I have been using Strongbox for several years and I think it is just as good as 1Password was.

Compare Features - Strongbox

🎄 🎄 Compare Features View the full feature list for iOS and MacOS, Free and Pro. iOS Yearly, Monthly and Lifetime purchase options available. Strongbox requires a minimum of iOS 14.0 or macOS 11.0 MacOS

strongboxsafe.com

there is lifetime too for like $90-$100

Strongbox has good WiFi Sync. Might be worth trying it out. Its a Strongbox Pro feature but they have a free trial.

Strongbox uses Zero Configuration Networking for device discovery. For networking Transport Layer Security (TLS) with a Pre Shared Key (PSK). In addition, databases are always transferred in their encrypted file format (e.g. KeePass KDBX or Password Safe PSAFE3). Master passwords or other credentials are never transferred over the network. Database metadata like the nickname, size and modified date of your databases are sent in encrypted JSON format protected by TLS-PSK.

$3 per month or $20 per year (with 3 month free trial) or $90 lifetime purchase. I was happy to spend the money on a lifetime license. After all I use it to keep all my passwords and secure notes. And I do not want to put my data on a developers honeypot target server.

I would go for Strongbox but the mini-assistant is a real deal breaker for me, so much so if enpass drops it I might go back to 1password.

A cursory search "In 2020, 106 browser extensions were removed from the Chrome Web Store, being used to steal user data, take screen captures or even steal credit card information from web forms" and another Article here

Just something to consider.

I am very careful which extensions to use. Always FOSS or reputable author.

 

[maflynn]

You may not have roamed the world of online privacy

Nope, but it seems the general consensus is that FOSS discussions doesn't include privacy but privacy discussions tend to recommend/use open source software. There's a difference, one is talking in general about open source, which is what I'm doing, and the other is about a segment of users who are privacy minded they prefer open source.

Yes, 1password is more of an eye candy.

Not just eye candy, I think UX is better as well. I find that I'm liking how 1Password works, both the app, and plug in. Its not perfect, I'd like to see a better way of generating passwords, its not always up front and easy to select but over all Both BW and 1PW are generally great examples of the differences between open source and closed source.

While exceptions certainly exist, open source has a well deserved reputation of lacking the polish, looking ugly, not having the same level of visual quality then does many similar apps that are closed source.

Before you start pasting examples of good looking open source apps, yes they do exist, but open source does have a reputation that those apps don't look as good.

 

[MacBH928]

Nope, but it seems the general consensus is that FOSS discussions doesn't include privacy but privacy discussions tend to recommend/use open source software. There's a difference, one is talking in general about open source, which is what I'm doing, and the other is about a segment of users who are privacy minded they prefer open source.

Not just eye candy, I think UX is better as well. I find that I'm liking how 1Password works, both the app, and plug in. Its not perfect, I'd like to see a better way of generating passwords, its not always up front and easy to select but over all Both BW and 1PW are generally great examples of the differences between open source and closed source.

While exceptions certainly exist, open source has a well deserved reputation of lacking the polish, looking ugly, not having the same level of visual quality then does many similar apps that are closed source.

Before you start pasting examples of good looking open source apps, yes they do exist, but open source does have a reputation that those apps don't look as good.

-In its originality, FOSS is a movement, that pre-dates 1985, to not let any one vendor control your computer. They believe its ok to "pay" for it but customer retains the right to modify and redistribute the software ( The 4 freedoms ) . Privacy is a by-product that emerged with privacy concerns on the internet.

-You are absolutely correct. unfortunately, FOSS is usually uglier and less intuitive to use than proprietary, that being said even some proprietary is ugly and unintuitive.

 

[toasted ICT]

If your data is not on the developers server these type of breach attempts will not work. But if its on the developers server, well....

Recently

Cybercriminals pose as LastPass staff to hack password vaults

LastPass is warning of a malicious campaign targeting its users with the CryptoChameleon phishing kit that is associated with cryptocurrency theft.

www.bleepingcomputer.com

This is a bit older

1Password discloses security incident linked to Okta breach

1Password, a popular password management platform used by over 100,000 businesses, suffered a security incident after hackers gained access to its Okta ID management tenant.

www.bleepingcomputer.com

 

[Mr. Heckles]

If your data is not on the developers server these type of breach attempts will not work. But if its on the developers server, well....

Recently

Cybercriminals pose as LastPass staff to hack password vaults

LastPass is warning of a malicious campaign targeting its users with the CryptoChameleon phishing kit that is associated with cryptocurrency theft.

www.bleepingcomputer.com

This is a bit older

1Password discloses security incident linked to Okta breach

1Password, a popular password management platform used by over 100,000 businesses, suffered a security incident after hackers gained access to its Okta ID management tenant.

www.bleepingcomputer.com

This was probably said 93-94 pages ago. Anyone who uses these realizes this.

I also use a security key, so the Lastpass phishing won’t work

Everything on 1Password is encrypted with a secret key and a password, so the that issue is moot point.

 

[svenmany]

This was probably said 93-94 pages ago. Anyone who uses these realizes this.

I also use a security key, so the Lastpass phishing won’t work

Everything on 1Password is encrypted with a secret key and a password, so the that issue is moot point.

So true. The quality of the vault is so much more important than where it's kept.

Anyone who doesn't keep copies of their vaults offsite is asking for trouble. People who keep their offsite backups on something like Dropbox should assume the worst. I believe this is a bigger honeypot than something like 1Password - so much unencrypted important content, which is easily analyzed and filtered by automatic processing.

I don't have it at hand, but I previously quoted a post by a security researcher. Their assertion was that one should just assume one's vaults will be made public. The security of the vault has to be good enough to make that unimportant.

 

[Mr. Heckles]

So true. The quality of the vault is so much more important than where it's kept.

Anyone who doesn't keep copies of their vaults offsite is asking for trouble. People who keep their offsite backups on something like Dropbox should assume the worst. I believe this is a bigger honeypot than something like 1Password - so much unencrypted important content, which is easily analyzed and filtered by automatic processing.

I don't have it at hand, but I previously quoted a post by a security researcher. Their assertion was that one should just assume one's vaults will be made public. The security of the vault has to be good enough to make that unimportant.

If you ever find that quote again, please send it to me.

 

[toasted ICT]

The quality of the vault is so much more important than where it's kept.

The encrypted database matters but that is far from the only thing that matters.

1Password migrants thread

Krebs on Security has an interesting article about hacker groups oktapus, scattered spider. What is notable is how targeted the attacks on organisations are... in the context of this thread the recent attack on Last Pass. To me it again underlines why storing your data on a password managers...

forums.macrumors.com

And it seems Harvest Now, Decrypt Later attacks are a problem Are stolen Last Pass Encrypted vaults being cracked? In 2022 LastPass CEO Karim Toubba said that while the encrypted vaults were stolen, only customers knew the master password required to decrypt them. But here we are and Hackers have stolen $4.4 million in cryptocurrency on October 25th 2023, using private keys and passphrases stored in stolen LastPass databases. So it seems they cracked those databases I guess. Maybe the master password they used was weak. Maybe not.

 

[svenmany]

The encrypted database matters but that is far from the only thing that matters.

1Password migrants thread

Krebs on Security has an interesting article about hacker groups oktapus, scattered spider. What is notable is how targeted the attacks on organisations are... in the context of this thread the recent attack on Last Pass. To me it again underlines why storing your data on a password managers...

forums.macrumors.com

Just to illustrate my intuition, but definitely not correct since it's not a linear combination...

leak security = a * (vault security) + b * (storage security) + c * (a whole bunch of stuff I haven't thought of)

Some points:

• I contend that "a" is an order of magnitude larger than the other two coefficients.
• Since you must have offsite backups, vault security has a far greater range of values than storage security.
• Vault security is mostly in the hands of the people with some expertise. Storage security is often in the hands of the user and their choice of location. For example, a stolen MacBook that doesn't have FileVault turned on is a particularly bad storage location.

Vault security is what I focus on when evaluating password applications. This is just my intuition, not something I can back up.

And it seems Harvest Now, Decrypt Later attacks are a problem Are stolen Last Pass Encrypted vaults being cracked? In 2022 LastPass CEO Karim Toubba said that while the encrypted vaults were stolen, only customers knew the master password required to decrypt them. But here we are and Hackers have stolen $4.4 million in cryptocurrency on October 25th 2023, using private keys and passphrases stored in stolen LastPass databases. So it seems they cracked those databases I guess. Maybe the master password they used was weak. Maybe not.

My recollection is that a large part of the Last Pass problem was weak encryption. And certainly, anything that counts on a single user password, like Last Pass, would be far more vulnerable to brute-force attacks than something that uses 1Password's approach. With 1Password I have my password and the account key (very long hex string).

 

[svenmany]

If you ever find that quote again, please send it to me.

I will try to find it. I suspect it's reference in a post I made in this thread.

 

[svenmany]

If you ever find that quote again, please send it to me.

https://infosec.exchange/@epixoip/109585049354200263

It's quite long and detailed. It discusses what is bad about Last Pass and what is good about 1Password and Bitwarden. At the very end is the part I was referencing.

Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should *start* with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn't do that, of course, but the point is the vault should be just that -- a vault, not a lockbox.

 

[Mr. Heckles]

https://infosec.exchange/@epixoip/109585049354200263

It's quite long and detailed. It discusses what is bad about Last Pass and what is good about 1Password and Bitwarden. At the very end is the part I was referencing.

Thanks!

 

[maflynn]

a glorified password protected spreadsheet file browser.
...
After much research, these are the better options out there.
AgileBits is officially evil for me with dark pattern business behaviour.

I'm curious as to the state of this thread and what participants think after so much discussion.

The OP called password managers a "glorified password protected spreadsheet file browser" nearly 3 years ago and agile bits is an evil company. Is that still the assessment?

For me, I dipped my toe with Bit Warden for a bit of time, but went back to 1Password. My justification is agilebits offered a superior product, and experience then bitwarden - They have provided a safe, secure, well running application and service that allows me to use complex passwords.

After nearly 3 years and over 2,300 posts how content are people with their password managers? How many applications have you all tried and switched? If people are still trying to find a password manager after 3 years, then something isn't right, or have I misread the bulk of the conversations in this thread? I know there were a number of side bar conversations regarding the perceived superiority of open source vs. closed source, and vaults stored in the cloud vs on the device.

How many have people tried before finding one you're happy with? To me there seems to be a large amount of discontentedness - if people (mostly the same people) are still talking finding a replacement for 1password. What are these apps not doing that is causing people to keep looking, and investigating?

 

[Jay-Jacob]

I don’t know how others go well outside of 1Password. I was 1Password user before they changed to subscription. First I moved to Bitwarden then I added Enpass cos was waiting discount code. So I use both in case something happens to one of them.

 

[eltoslightfoot]

I have switched to Enpass due to the wifi only sinking and the fact that I had a lifetime membership already. But I did that relatively recently.

 

[MacBH928]

I'm curious as to the state of this thread and what participants think after so much discussion.

The OP called password managers a "glorified password protected spreadsheet file browser" nearly 3 years ago and agile bits is an evil company. Is that still the assessment?

yes it is. A password manager is a gloried spreadsheet"+ encryption+autofill. Even when you export your data its exported in CSV file. I am not sure how difficult the encryption part is or the autofill. Is it worth $36 a year amid all the other subscriptions like video+email+vpn+other apps (office+adobe+and the rest) ?

For me, I dipped my toe with Bit Warden for a bit of time, but went back to 1Password. My justification is agilebits offered a superior product, and experience then bitwarden - They have provided a safe, secure, well running application and service that allows me to use complex passwords.

After nearly 3 years and over 2,300 posts how content are people with their password managers? How many applications have you all tried and switched? If people are still trying to find a password manager after 3 years, then something isn't right, or have I misread the bulk of the conversations in this thread? I know there were a number of side bar conversations regarding the perceived superiority of open source vs. closed source, and vaults stored in the cloud vs on the device.

How many have people tried before finding one you're happy with? To me there seems to be a large amount of discontentedness - if people (mostly the same people) are still talking finding a replacement for 1password. What are these apps not doing that is causing people to keep looking, and investigating?

The reasons for leaving 1password is evil business tactics:

• Forced subscription (could have kept license option like Enpass with 3-4 years of security updates)
• Forced their cloud storage
• disabled local storage and local sync
• lying to customers saying cloud storage and subscription model is the better option for their customers
• I don't want to do business with a company that want to suck their customers dry for bigger profits

Quick summary (imo):

• 1password remains the best overall experience
• Bitwarden has better autofill capabilities (afaik)
• Bitwarden does what 1password does for free
• I tried enpass and Bitwarden. Both sufficient but enpass needs polishing and better autofill capabilities
• Mini-assistant , Killer feature for me, is only offered by 2 password managers: Enpass and 1password.

Password managers that others members here tried and decided to settle with:

• Enpass
• Bitwarden
• Codebook
• Strongbox
• Read a couple went with Minimalist and Secrets

Popular password managers on the app store that no one tried in this thread (AFAIK):

• Keeper
• Dashlane
• Roboform
• mSecure

Although it doesn't give the full picture, 1password is the lowest rated password manager on the iOS app store with one of the lower number of reviews

 

[Jay-Jacob]

Although it doesn't give the full picture, 1password is the lowest rated password manager on the iOS app store with one of the lower number of reviews

I was curious and had look cos they usually have highest reviews (before subscription). I was expecting people complaining about they being subscription and rate it low but turns out it not after all. It seems very buggy based on reviews like open in random item instead of last opened, open in edit mode instead of read mode so people accidentally changed details, all password items disappeared for while, etc.

Interesting, it seem gone downhill since changed to subscription. Didn't expect that because they was most stable and reliable password manager back those days.

 

[svenmany]

I was curious and had look cos they usually have highest reviews (before subscription). I was expecting people complaining about they being subscription and rate it low but turns out it not after all. It seems very buggy based on reviews like open in random item instead of last opened, open in edit mode instead of read mode so people accidentally changed details, all password items disappeared for while, etc.

Interesting, it seem gone downhill since changed to subscription. Didn't expect that because they was most stable and reliable password manager back those days.

It's a much more complex product now. I've had almost no issues with it. I've seen a couple of bugs over the last couple of years, but they get addressed in their regular patches.

Bitwarden does what 1password does for free

Not really. 1Password doesn't offer a stripped-down version that mimics Bitwarden's free version. The family plan is cheaper than 1Password's, but not by a ton.

A password manager is a gloried spreadsheet"+ encryption+autofill.

I strongly disagree. I'm not sure how to argue the point though, except by listing all the features that password programs have. I guess a person is a glorified mass of cells + poop.

 

[maflynn]

yes it is. A password manager is a gloried spreadsheet"+ encryption+autofill

Just because you can get a CSV export does not make it a spreadsheet. Its actually a database, I can easily export fields from an oracle database into a CSV file, and that doesn't mean that Oracle is a spreadsheet. The vaults (doesn't matter if its BW, 1PW, or another) has fields, attributes, abilities to add/remove data without disrupting other records.

Its a minor point, not really worth an extended back and forth, I was just curious if your opinion and others had changed during these past few years. Was the time invested in searching, and trying different apps worth it? I like both BW and 1PW because both just work.

My thinking is at some point is I needed to settle down on one solution and stick with it. I feel that the 1PW's design, execution, features, and customer support warrant the price, but everyone is different. I don't knock anyone if they wanted a different solution.

Its just an odd (to me) occurrence to keep talking about the the topic of moving off of 1PW over and over, i.e., I'm leaving 1PW but never really settling in on a replacement.

 

[gregmac19]

...And certainly, anything that counts on a single user password, like Last Pass, would be far more vulnerable to brute-force attacks than something that uses 1Password's approach. With 1Password I have my password and the account key (very long hex string).

I think it is important to point out what 1Password’s Secret Key in meant to do. From 1Password’s website:

“Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.”

Note that the Secret Key wouldn’t help protect your data if your device is stolen.

I think the Secret Key feature is a great idea, but I also believe this is far more important for those who choose to put their vaults on servers rather keeping them local.