its on a MacBook Pro that will run up to macOS High Sierra (version 10.13), and the last security update that got was back in November of 2020. 1Password 4 latest update came out in October of 2014… yup, not a huge security risk 🙄
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password Remigrant thread
- Thread starter maflynn
- Start date
- Sort by reaction score
1password : Security vulnerabilities, CVEs
Security vulnerabilities related to 1password : List of vulnerabilities affecting any product of this vendor
www.cvedetails.com
There are vulnerabilities for 1Password that the developer patches. You are not patched so, your data can be at risk
I would stay away from Norton, horrible company, horrible software.
If you're looking for a good password manager that is not 1Password, Bit Warden is what I would recommend. There's a free tier that is extremely powerful, the subscription version is only 10 dollars a year and provides a few add ons but not to the core of the program - just nice to haves. That is the free version is a extremely capable password manager - dare I say better then Norton
If I recall correctly, years ago some of us chose 1Password because it stores an important encrypted file locally on the computer or on dropbox that makes it difficult for the bad guys to access the vault? Is Bit Warden doing the same or something similar?
Speaking of Norton, what is wrong with it and the company? I see it and Bitdefender are ranked top in macworld, pcmagazine, etc. I used to use Norton Internet products 20+ years ago. Recently I bought their Norton 360 Deluxe (3 devices). I installed it on a PC but I am still trying to decide if I should install it on a Mac/iOS device.
99% of password managers store their vaults in the cloud. Bit Warden has the ability to self host the vault - not exactly the same as storing locally but its something that can be considered if you don't want your passwords on someone else's server.
Maybe you are unaware of it, but there is a very long tread about password managers: https://forums.macrumors.com/threads/1password-migrants-thread.2307443/
Although several people who post there are users of Bitwarden, I am not a fan of the program. It is relatively ugly, and more important, harder to self host than other programs.
I know of several options for self hosting, all which IMO are better than Bitwarden: Enpass, Sticky Password, eWallet, Strongbox, and Codebook. All of these are available without a subscription.
I am very happy with Codebook that has the additional advantage of not having any browser plug-ins, which I think are also a potential source of security issues.
Same question: what are the key objections to Norton 360? I’ve been using it for years on PC and iMac and it includes a number of useful features including a license to a password manager. The product works on essentially all iOS, macOS, and Windows devices pretty well, at least for me. It also includes a VPN which I use on my iPad and iPhone, 175GB of included cloud backup, and supposedly has dark web monitoring for email addresses and phone numbers though I’m not sure how to verify if that feature works or not and to what extent.
All-in-all, Norton APPEARS to have done pretty well, is a comprehensive suite of tools, has a decent website, and allows a lot of customization. My only and MINOR criticism is that if you need to speak with someone for product or account support, that person will not have English as a first language so is a bit harder for me to understand. Even that thought has always worked well, problems solved, and I even got an account time extension for experiencing the problem I had.
As I’m coming up for renewal soon, I’d be very much interesting in why others here feel this product is specifically unacceptable to them.
…and they handled it pretty well: quick notifications to subscribers (I know I got one), recommendations to mitigate (change credentials), offers of extended service and/or credit monitoring, etc. Hacking happens and the key for me is how it is handled for the customer.
That said, I don’t use the Norton360 password manager. I still use 1Password, and I never used LifeLock (seemed like a silly subscription, never really understood it, though I probably still have the former CEO’s SSAN memorized after seeing it so many times in ads).
Norton products have (in my opinion rightly so) earned the reputation of bloatware. The programs slow down the computer, hard to uninstall. Preinstalled (on PCs). For the price they charge, I feel there are better safer programs. I put Norton in the same category of McAfee, crap software where most of their customers come via preinstalled and the consumer unwittingly pays for the service.
Base Norton 360 (no lifelike) is 115 a year - With life lock the next tier up, it costs 180 dollars. You want the ultimate tier - its 350 dollars.
They truly go by the term jack of all, master of none. Do I want a crap ton of security type software that is mediocre for a high price or do I want to find the best program for each category AND pay less?
I mean just look at its VPN product
Norton Secure VPN review: Why we don't recommend this familiar brand's VPN
Norton Secure VPN Review: User-Friendly, But 7 Drawbacks
Even the lifelock product - while lauded by reviewers, has a lot of complaints by users
www.trustpilot.com
Base Norton 360 (no lifelike) is 115 a year - With life lock the next tier up, it costs 180 dollars. You want the ultimate tier - its 350 dollars.
They truly go by the term jack of all, master of none. Do I want a crap ton of security type software that is mediocre for a high price or do I want to find the best program for each category AND pay less?
I mean just look at its VPN product
Norton Secure VPN review: Why we don't recommend this familiar brand's VPN
Norton Secure VPN Review: User-Friendly, But 7 Drawbacks
Even the lifelock product - while lauded by reviewers, has a lot of complaints by users
NortonLifeLock is rated "Bad" with 1.3 / 5 on Trustpilot
Do you agree with NortonLifeLock's TrustScore? Voice your opinion today and hear what 92 customers have already said.
www.trustpilot.com
I think it does but 1password has the mini-agent that is always ON meanwhile Bitwarden only runs when you launch it, otherwise it lives as an extension in the browser
Why do they need an audit if they app is FOSS?
Bitwarden has a great feature that you can look into a website code and see the exact ID of the text field and use it as custom field and it will autofill it. you can use it for long forms like that.
Maybe they don't. Could you name a couple of serious security researches in the open source community who are reviewing the code and providing input?
I can not but it kind of works in an opposite way, being open source there is a malicious actor that will make it his main target to break into all Bitwarden's password vault and steal accounts and bank information...if he can find a security hole that is.
As a non-programmer my understanding that this is more difficult to figure out if you can not see the source code, but if one is to be found, he will enjoy a long time of password theft before a closed source vendor figure that security hole and where is it.
The code with more frequent independent audits will likely have security holes fixed more quickly. Open source software does not necessarily get free independent audits from the open source community.
I imagine that people reading the code and how it works (available to all connected to the internet) is equivalent to an audit. If there is more steps to it i do not know.
As I said in another thread, I am sure some cyber security student some where in the globe is trying to attack Bitwarden and find a security hole to make it his dissertation and show it off to his future employer. Not to mention the competitors of Bitwarden would be more than happy to find a security hole and publicly shame them to gain their users.
but in the case of more obscure and less known FOSS yes you are right, I for example do not trust those CLI based password managers. Too obscure even if FOSS.
Last edited:
My $.02 is the purpose of an audit vs. the purpose of FOSS licesnses.
Audits, are used to validate/verify the integrity.
FOSS licenses dictate who has access to view the source code, who is authorized to change it and how it can be utilized and/or used. Two different things.
Audits provide an independent evaluation of the software/system/environment to ensure they abide by a set of standards, regulations, and/or guidelines. Its quite conceivable that an open source application can have the most insecure method of handling data, be it processing, storing or transmitting. FOSS licenses won't prevent that from happening and making it out into the wild. On the other hand, auditing is designed to catch such things. It provides the customer with a measure of comfort and peace of mind that the code was reviewed externally.
I think when its open source it doesn't need a 3rd party independent evaluation since that task will be done by the "community" assuming its a popular app. In the case of Bitwarden specifically, the GitHub page shows 277 contributors . I assume that means 277 programmers. I doubt 277 programmers would be blind to the Bitwarden code if it had any flaws or errors.
If there are specific "tests" that the code has to go through to check its security, then maybe yes, no one performed those tests but again a reputable app like Bitwarden that makes money off the enterprise edition I assume they did their homework and run the tests otherwise their whole business will collapse.
I would rather trust an audit then assume someone in the community would spot a vulnerability.
There's a reason why corporate finances are audited, as some people could simply say, corporations have a community of people over seeing the finances and don't need an independent evaluation.
I think password managers, and privacy minded companies that provide services are in a better position if they decide to have their work audited - that's just me.
I disagree in the case of security software like the password managers we're discussing.
Earlier in this thread I reported that I reviewed the work by those contributors. Most of it was of a trivial nature. I didn't find a single pull request related to deeper cryptography issues. I admit that I only looked for 15 minutes or so.
Take a look at https://bucket.agilebits.com/securi...ssword_8_for_Mac_Security_Assessment_v1.1.pdf. It makes it clear that very specialized skills are required to do the kind of security audit that is justified. I don't doubt Bitwarden has employees with such skills. But, an independent audit is really needed. It's way easier to catch mistakes when you're not the one making them.
Agree, but ... There are other cases which I can't find right now where companies passed audits but financially floundered shortly thereafter.
KPMG stands by audits of Silicon Valley Bank and Signature Bank - FT
KPMG's U.S. boss, Paul Knopp, said the accounting firm stood behind its audits of Silicon Valley Bank and Signature Bank , the Financial Times reported on Tuesday.
I never said its bullet proof or provides 100% protection, but it certainly gives the consumer a better feeling that the business is doing what it should, be it publisher or financial firm
As for the article, it states that the auditing can only evaluate whether the bank is following proper procedures and internal controls
Its like blaming the an auditing company for a breach when an employee put an unauthorized and infected thumb drive into their laptop. My employer has tight controls over using thumb drives, cloud storage and what not, but that won't stop a given employee from doing something stupid. At that point is that the fault of the auditing?
Its not the role of auditing to stop or prevent actions but report that the company is operating within a predefined set of controls and procedures to help ensure the integrity
I mean on the flip side open source isn't 100% here's three examples of the Linux kernel patching years old vulnerabilities (CVE-2017-2636, CVE–2016–5195 and CVE-2022-2588)
Linux Kernel Gets Patch For Years-Old Serious Vulnerability
'Dirty Cow' Linux vulnerability found after nine years
'DirtyCred’ Vulnerability Haunting Linux Kernel for 8 Years
I'm not saying that auditing would catch these, but having additional protections is better then just assuming a crowd of developers will spot all vulnerabilities.
I've thought of an analogy to the audit/community difference.
audit - I'm on the third story of a burning building. The firemen have arrived and they've told me to jump. The've been vetted during the hiring process and our taxes have paid for their training. I feel pretty good about jumping.
community - I'm on the third story of a burning building. There are a couple hundred people milling about below. I've been told that it's very likely that some of them are firemen and will catch me if I jump. Lots of community members - what could go wrong? Oh right, no firemen showed up. Well, maybe if I'm lucky, someone who tried to get a job as a fireman but didn't pass the tests is there. So I inspect the people. Lots of them are looking away - they got bored. "Hey, I just came for the barbecue. I'm sure someone else will catch that jumper." I'd better get airlifted to the building that has the firemen.
So, when do I trust the community?
If I happen to know some of the people milling below, I know they've come to catch people who jump, and I value their expertise at catching people, then I'd trust the community.
If we weren't talking about security software then the analogous situation would not be so dire and I would more likely trust the community.
audit - I'm on the third story of a burning building. The firemen have arrived and they've told me to jump. The've been vetted during the hiring process and our taxes have paid for their training. I feel pretty good about jumping.
community - I'm on the third story of a burning building. There are a couple hundred people milling about below. I've been told that it's very likely that some of them are firemen and will catch me if I jump. Lots of community members - what could go wrong? Oh right, no firemen showed up. Well, maybe if I'm lucky, someone who tried to get a job as a fireman but didn't pass the tests is there. So I inspect the people. Lots of them are looking away - they got bored. "Hey, I just came for the barbecue. I'm sure someone else will catch that jumper." I'd better get airlifted to the building that has the firemen.
So, when do I trust the community?
If I happen to know some of the people milling below, I know they've come to catch people who jump, and I value their expertise at catching people, then I'd trust the community.
If we weren't talking about security software then the analogous situation would not be so dire and I would more likely trust the community.
Here's something I read a while ago at https://infosec.exchange/@Jwilliams/109586918036144213.
That's the kind of lack I'm referring to with respect to Bitwarden. An expert is saying they haven't made a serious effort to review the code, but hopes a formal audit gets organized in the community. He certainly took a look at the code, but understands that much more is required.
That's the kind of lack I'm referring to with respect to Bitwarden. An expert is saying they haven't made a serious effort to review the code, but hopes a formal audit gets organized in the community. He certainly took a look at the code, but understands that much more is required.