1Password Remigrant thread

[MacBH928]

Don't get me wrong, an audit will always be an even better situation either in FOSS or proprietary case

I would rather trust an audit then assume someone in the community would spot a vulnerability.

This is correct but my opinion is that if the user base is large enough there are people out there who are expert enough on the topic to spot the issues. On the other side of the coin, there are hackers out there trying their hardest to find a flaw so I assume the "white hat"(good) ones are doing the opposite. Then again, this is what I think,

There's a reason why corporate finances are audited, as some people could simply say, corporations have a community of people over seeing the finances and don't need an independent evaluation.

Not a correct analogy since corporate accounting books are not public information. I do not see Apple putting out how much they pay each employee, or how much it costs to build an iphone, or how much they spent on toilet paper. Even if they did you can't affirm the numbers by going back to the corporate and checking the ins and outs of their bank accounts.

They do not put that information out in public, do they?

I think password managers, and privacy minded companies that provide services are in a better position if they decide to have their work audited - that's just me.

agreed, in Bitwarden's case specifically they do but There are others who I wouldn't trust as much like KeePass since its much more obscure although they claim they have their own recommendations from official sources.

I disagree in the case of security software like the password managers we're discussing.

Earlier in this thread I reported that I reviewed the work by those contributors. Most of it was of a trivial nature. I didn't find a single pull request related to deeper cryptography issues. I admit that I only looked for 15 minutes or so.

Take a look at https://bucket.agilebits.com/securi...ssword_8_for_Mac_Security_Assessment_v1.1.pdf. It makes it clear that very specialized skills are required to do the kind of security audit that is justified. I don't doubt Bitwarden has employees with such skills. But, an independent audit is really needed. It's way easier to catch mistakes when you're not the one making them.

I can't comment on the contributors of the code I am just assuming among the community there are people skilled enough to look and criticise the code, kind of like when an architect puts a house plan online there are other architects out there who can see it and criticise it or if pharmaceutical published a formula for a medication there are chemists and doctors among us that can comment on that.

Especially when it comes to software there are a lot of coders who are "foss warriors" like FSF and all the people working on LibreOffice, GIMP, FireFox, Linux distros, Blender, Fossdroid, GrapheneOS...list goes on. I do not assume that all those people have no idea what they are doing.

 

[svenmany]

I can't comment on the contributors of the code I am just assuming among the community there are people skilled enough to look and criticise the code,

Agreed - there are people skilled enough. I have no evidence they are doing the work. But, it's impossible for me to prove non-existence of such a person. Certainly the infosec person I referenced in my last post believed (at the time) that there was no one in the open source community doing that kind of work.

I'll leave you to your beliefs. There's no arguing with faith.

 

[MacBH928]

Here's something I read a while ago at https://infosec.exchange/@Jwilliams/109586918036144213.



That's the kind of lack I'm referring to with respect to Bitwarden. An expert is saying they haven't made a serious effort to review the code, but hopes a formal audit gets organized in the community. He certainly took a look at the code, but understands that much more is required.

I see your point. IDK who that guy is but if he is an expert the expert himself say I am pleased with what I see and it is a solid product. He is not pleased with the programming language used, not sure how much this affects security, I wonder what he thinks about Electron usage.

 

[MacBH928]

I'll leave you to your beliefs. There's no arguing with faith.

Trust is not tangible. I like to think of proprietary software and foss software like a restaurant with a closed kitchen and open kitchen (they exist). Who would you trust more? A closed kitchen with certificate from reputable auditing companies saying how great it is from the inside, or the one who is doing all the cooking and dicing in front of the customer?

To each his own.

 

[VineRider]

Trust is not tangible. I like to think of proprietary software and foss software like a restaurant with a closed kitchen and open kitchen (they exist). Who would you trust more? A closed kitchen with certificate from reputable auditing companies saying how great it is from the inside, or the one who is doing all the cooking and dicing in front of the customer?

To each his own.

Using your analogy of an open kitchen, I think of it this way.

If I were going to eat pufferfish, which must be prepared exactly correct or it can be fatal, I would rather go with the closed kitchen with a certificate from a reputable auditing company than an open kitchen with no certification even though they are preparing in front of the customer.

The reason is I am not qualified, nor do I know if any of the folks watching are qualified to make an assessment on the safety of the food preparation. I would trust the audit firm to make that assessment over me being able to observe.

To me, security software is the same. Just because you can write code, (or prepare fish) doesn't mean you are an expert in a very complex technology. There are researchers who have made their careers on studying encryption methods, and proper methods of storing secure data. I'd rather trust those individuals rather than hope someone that can read/write code would make some kind of assessment when I have no idea of their credentials or expertise in complex security software.

 

[JavaMania5]

FWIW......we are a 2-person family that has using 1-Password for about 6 or 7 years. We embraced the cloud and subscription version because it is so simple for an average consumer to create and use I-Password for our own individual use and also for sharing family passwords. With both of us having so many passwords for totally different needs and different websites and yet a need to share common site passwords for banking and credit card stuff....1-password just works! We are just an average user with average usage. Main reason to use is it's just comfortable to use. Are we vulnerable? We honestly don't know!. As an average user we are not skilled enough nor very interested to dive deep into all of the technical reasons to use or not to use. From what little research we did, there doesn't seem to be a agreement anywhere on a clear choice for ease of use and for safety. Most of us are working off trust. From what we have learned, we are making an attempt to use the web as it has evolved and become so necessary and so useful. We also have become more aware of security and safety issues but it seems our vulnerability will never go away. Or fear is not so much a thief could compromise our security by hacking 1-password but on a bigger scale due to the increased world economic situation, the internet could be compromised and we all will be completely shut down and since EVERYTHING is digital.....bigger vulnerabilities may occur and a password manage no help anyway.

 

[MisterSavage]

Here's something I read a while ago at https://infosec.exchange/@Jwilliams/109586918036144213.



That's the kind of lack I'm referring to with respect to Bitwarden. An expert is saying they haven't made a serious effort to review the code, but hopes a formal audit gets organized in the community. He certainly took a look at the code, but understands that much more is required.

BUT he's also been happy with what he's seen of their code and recommends the product to others. I still prefer that to "trust us, our code you can't look at is safe" personally.

 

[svenmany]

BUT he's also been happy with what he's seen of their code and recommends the product to others. I still prefer that to "trust us, our code you can't look at is safe" personally.

In that same post he talks VERY favorably of 1Password, which is largely closed source. He also recommends that product. He based that on his familiarity with the people who work there.

 

[MacBH928]

Using your analogy of an open kitchen, I think of it this way.

If I were going to eat pufferfish, which must be prepared exactly correct or it can be fatal, I would rather go with the closed kitchen with a certificate from a reputable auditing company than an open kitchen with no certification even though they are preparing in front of the customer.

The reason is I am not qualified, nor do I know if any of the folks watching are qualified to make an assessment on the safety of the food preparation. I would trust the audit firm to make that assessment over me being able to observe.

To me, security software is the same. Just because you can write code, (or prepare fish) doesn't mean you are an expert in a very complex technology. There are researchers who have made their careers on studying encryption methods, and proper methods of storing secure data. I'd rather trust those individuals rather than hope someone that can read/write code would make some kind of assessment when I have no idea of their credentials or expertise in complex security software.

You are correct, but in the case of popular FOSS software, I am assuming that so many people are eating at this restaurant including other competing pufferfish restaurants owners and chefs that they are willing to call out any mis-handling of the safety and food preparation. For lesser known foss software you are 100% correct and I agree.

Either way, just to clarify for you and @svenmany , its not that I do not trust the security of 1password. Far from it. I am more worried about privacy as those big techs love to monetize data and it is eased in with something like this:

Today, we’re taking a step toward being able to better understand those moments by embarking on an internal, employee-only trial of our new in-app telemetry system. And, of course, we’re doing it the 1Password way – making sure it doesn’t compromise on our commitment to protecting your privacy and your data.

FWIW......we are a 2-person family that has using 1-Password for about 6 or 7 years. We embraced the cloud and subscription version because it is so simple for an average consumer to create and use I-Password for our own individual use and also for sharing family passwords. With both of us having so many passwords for totally different needs and different websites and yet a need to share common site passwords for banking and credit card stuff....1-password just works! We are just an average user with average usage. Main reason to use is it's just comfortable to use. Are we vulnerable? We honestly don't know!. As an average user we are not skilled enough nor very interested to dive deep into all of the technical reasons to use or not to use. From what little research we did, there doesn't seem to be a agreement anywhere on a clear choice for ease of use and for safety. Most of us are working off trust. From what we have learned, we are making an attempt to use the web as it has evolved and become so necessary and so useful. We also have become more aware of security and safety issues but it seems our vulnerability will never go away. Or fear is not so much a thief could compromise our security by hacking 1-password but on a bigger scale due to the increased world economic situation, the internet could be compromised and we all will be completely shut down and since EVERYTHING is digital.....bigger vulnerabilities may occur and a password manage no help anyway.

If you trust the security and privacy of 1password, don't mind the rental price, and have no problem with your data stored in the cloud on their servers by all means use 1password.

Honestly, its the most polished, most pleasing interface, and probably the easiest to use.

 

[Mr. Heckles]

Either way, just to clarify for you and @svenmany , its not that I do not trust the security of 1password. Far from it. I am more worried about privacy as those big techs love to monetize data and it is eased in with something like this:

And there was a discussion on Reddit about this, and it will be optional. Not a big deal.

From a 1Password team member:

Above all, this system will be optional. As mentioned in the blog post that you linked to, there will be a way to easily control whether or not you contribute to the insights that the 1Password team receives. The more we gather, the better we understand what’s happening overall, and so I can’t exactly encourage you to disable it. But the choice is entirely yours.

 

[svenmany]

I’d like to clarify something as well. All my recent posts were about why I feel open source projects for security software should have formal audits by experts. I wasn’t really discussing open source versus closed source. I was responding to

Why do they need an audit if they app is FOSS?

and the implication that community support is good enough for security software. Bitwarden is open source and does pay for audits. I think that means they believe that audits are required to meet their security standards.

I understand now we've moved on to a different subtopic of this thread.

 

[MacBH928]

And there was a discussion on Reddit about this, and it will be optional. Not a big deal.

From a 1Password team member:

Yes, for now,, but I wary its a sign of worse things in the future like how they transitioned in a subscription + license option to license only option. Its optional at first , and then?? we have to wait and see.

I’d like to clarify something as well. All my recent posts were about why I feel open source projects for security software should have formal audits by experts.

and the implication that community support is good enough for security software. Bitwarden is open source and does pay for audits. I think that means they believe that audits are required to meet their security standards.

can't argue, audit will always be better

I understand now we've moved on to a different subtopic of this thread.

yes, should return to topic and see how many people didn't find the alternatives good enough and came back to 1password. Looking to hear from others

 

[maflynn]

yes, should return to topic and see how many people didn't find the alternatives good enough and came back to 1password. Looking to hear from others

Good idea

I've largely been using 1Password but its been more due to the convenience factor then because I think its superior or not. I think what I might do is clean up my Bitwarden vault, and reimport 1Password's. The last time I tried that, it was not very straightforward. My goal is start using Bitwarden again and see if I like BW more then 1PW after using 1PW for a while now.

There is one thing that annoys me to no end with 1PW, and that's the 1Password icon that shows up next to many textboxes. In my work and personal life, I tend to deal with web forms that have a number of text boxes, and I don't want 1PW trying to fill anything in there. It does' a poor job at identifying userid/password fields.

I think the iOS version of 1PW offers a more seamless easier to use experience.

 

[svenmany]

I might give Bitwarden a try.

The only advantage Bitwarden would have over 1Password is that it's slightly cheaper for the family account and it's open source. For me, the cost savings is only slight; I'm on early access 1Password, so I only pay $48/year for 7 users. Bitwarden would be $40/year for 6 uses.

I took a look at setting up for self-hosting. I do have lots of experience with Docker, but it doesn't seem practical. I don't leave a server in my house running all the time. If were just me, I guess I could fire up a server whenever I needed it, but I have my family to consider as well.

 

[icanhazmac]

I never jumped ship but I also did not upgrade to v8, mostly because I had heard bad things about Electron apps. With the recent news I guess I need to make a choice, stay with 1PW or just ship to something else, like Minimalist.

For those still on, or have come back to, 1PW, how do you rate the Electron app in terms of performance, memory and of course UI?

 

[svenmany]

I never jumped ship but I also did not upgrade to v8, mostly because I had heard bad things about Electron apps. With the recent news I guess I need to make a choice, stay with 1PW or just ship to something else, like Minimalist.

For those still on, or have come back to, 1PW, how to you rate the Electron app in terms of performance, memory and of course UI?

I think the 1Password desktop app is fabulous. I use it on my new M2 and my 2018 Intel. It's snappy, slick, functional, and pretty.

The browser extension is a step backwards from the old one. It's less reliable and harder to use. Sometimes my browser will take a while to connect after unlocking 1Password.

I can't comment on the memory load since I always have lots of RAM configured on my machines. Right now, I'm running 1Password desktop app and it seems like about 320 MB (total with parent process and children). So, that's less than Dropbox and Mail, for example. If I exit the desktop app and just have the menubar app and a couple of browsers (Firefox and Safari) with the extensions running, the memory load is around 180 MB.

 

[Tagbert]

I never jumped ship but I also did not upgrade to v8, mostly because I had heard bad things about Electron apps. With the recent news I guess I need to make a choice, stay with 1PW or just ship to something else, like Minimalist.

For those still on, or have come back to, 1PW, how to you rate the Electron app in terms of performance, memory and of course UI?

I haven’t run into any performance or resource problems due to it being Electron. Some Electron apps are poorly written and burn cpu cycles but not all do.

 

[maflynn]

because I had heard bad things about Electron apps.

There's probably apps you're using right now that the developers used Electron to produce the software. I think what happened is word spread that 1PW is using electron and all hell broke loose without knowing the details or experiencing issues themselves.

Personally, I haven't run into any issues, and even BitWarden uses Electron, so its a bit silly for those of us who jumped ship to BW because of Electron. There's plenty of valid reasons for leaving 1PW and plenty of good reasons for choosing 1BW but in the end don't let mass hysteria become the deciding factor.

 

[MacBH928]

Good idea

I've largely been using 1Password but its been more due to the convenience factor then because I think its superior or not. I think what I might do is clean up my Bitwarden vault, and reimport 1Password's. The last time I tried that, it was not very straightforward. My goal is start using Bitwarden again and see if I like BW more then 1PW after using 1PW for a while now.

I can't switch completely to Bitwarden because the mini assistant is completely essential to me especially in the world of 2FAs and having to re enter your credentials multiple times every where.

There is one thing that annoys me to no end with 1PW, and that's the 1Password icon that shows up next to many textboxes. In my work and personal life, I tend to deal with web forms that have a number of text boxes, and I don't want 1PW trying to fill anything in there. It does' a poor job at identifying userid/password fields.

I think the iOS version of 1PW offers a more seamless easier to use experience.

I think thats supposed to give more "ease" to the situation as users would know that this field is "fillable" by 1password.

I used 1PW, Bitwarden, and Enpass. Bitwarden is the best Auto-fill.

 

[MacBH928]

I might give Bitwarden a try.

The only advantage Bitwarden would have over 1Password is that it's slightly cheaper for the family account and it's open source. For me, the cost savings is only slight; I'm on early access 1Password, so I only pay $48/year for 7 users. Bitwarden would be $40/year for 6 uses.

I took a look at setting up for self-hosting. I do have lots of experience with Docker, but it doesn't seem practical. I don't leave a server in my house running all the time. If were just me, I guess I could fire up a server whenever I needed it, but I have my family to consider as well.

Unless you are worried about closed source or online data storage, I wouldn't switch to Bitwarden. 1PW is more seamless to use for the family and the price difference is negligible .

Could Bitwarden be set up on a VPS? You have to use Vaultwarden for that I think.

You are on early access of 1password as in since its inception?

I never jumped ship but I also did not upgrade to v8, mostly because I had heard bad things about Electron apps. With the recent news I guess I need to make a choice, stay with 1PW or just ship to something else, like Minimalist.

For those still on, or have come back to, 1PW, how to you rate the Electron app in terms of performance, memory and of course UI?

I think the 1Password desktop app is fabulous. I use it on my new M2 and my 2018 Intel. It's snappy, slick, functional, and pretty.

The browser extension is a step backwards from the old one. It's less reliable and harder to use. Sometimes my browser will take a while to connect after unlocking 1Password.

I can't comment on the memory load since I always have lots of RAM configured on my machines. Right now, I'm running 1Password desktop app and it seems like about 320 MB (total with parent process and children). So, that's less than Dropbox and Mail, for example. If I exit the desktop app and just have the menubar app and a couple of browsers (Firefox and Safari) with the extensions running, the memory load is around 180 MB.

I didn;t use it but I think the electron maybe is exaggerated , I think they said they do not use full electron but some electron elements?! For comparison, Enpass takes about 120MB of RAM on my machine all the time.

I haven’t run into any performance or resource problems due to it being Electron. Some Electron apps are poorly written and burn cpu cycles but not all do.

There's probably apps you're using right now that the developers used Electron to produce the software. I think what happened is word spread that 1PW is using electron and all hell broke loose without knowing the details or experiencing issues themselves.

Personally, I haven't run into any issues, and even BitWarden uses Electron, so its a bit silly for those of us who jumped ship to BW because of Electron. There's plenty of valid reasons for leaving 1PW and plenty of good reasons for choosing 1BW but in the end don't let mass hysteria become the deciding factor.

Correct me if I am wrong, but I thought to use electron you have to load a full Chromium browser in the background hence why it feels heavy.

Your "Bitwarden uses electron" arguement is not just. Bitwarden mostly lives as a browser extension which is created in TypeScript I believe. Launching the app uses Electron. Compare this with 1password that is always on in the background (would be equal to Bitwarden is always open in the bg). For testing purposes I launched Bitwarden app and it was a heavy launch but RAM usage is 238MB .

In the end, it all might be just fearmongering, one has to use it in real world to tell if there are any performance issue.

 

[svenmany]

There is one thing that annoys me to no end with 1PW, and that's the 1Password icon that shows up next to many textboxes. In my work and personal life, I tend to deal with web forms that have a number of text boxes, and I don't want 1PW trying to fill anything in there. It does' a poor job at identifying userid/password fields.

Same here. It bothered me so much that I turned off "Offer to fill and save passwords".

 

[Mr. Heckles]

Same here. It bothered me so much that I turned off "Offer to fill and save passwords".

I have those turned off at work also for the same reasons.

 

[svenmany]

You are on early access of 1password as in since its inception?

I signed up for the family plan subscription during the early access period.

I've been using 1Password continuously since 2007, but my initial purchase was of a normal release, not a pre-release. I wonder when 1Password was first released.

 

[svenmany]

Correct me if I am wrong, but I thought to use electron you have to load a full Chromium browser in the background hence why it feels heavy.

Your "Bitwarden uses electron" arguement is not just. Bitwarden mostly lives as a browser extension which is created in TypeScript I believe. Launching the app uses Electron. Compare this with 1password that is always on in the background (would be equal to Bitwarden is always open in the bg). For testing purposes I launched Bitwarden app and it was a heavy launch but RAM usage is 238MB .

I use the latest 1Password on my 2013, 2018, and 2023 MacBook Pros. On none of them does it feel heavy from a user's perspective with respect to load time, responsiveness. You probably meant something different by "feels".

1Password is always on when you are using the browser extension since it integrates with the menubar app, but it's way smaller than when the full 1Password application is running. If I have just Safari running, then the 1Password memory load is around 80MB. I'm not sure I would call that a full Chromium browser.

In the link I referenced earlier, the person was slightly critical of Bitwarden's use of a garbage collected language. TypeScript is such a language, so that must of been what he was referring to. 1Password uses Rust for it's security bits. Check out https://www.wired.com/story/rust-secure-programming-language-memory-safe/.

 

[KaliYoni]

For anybody interested, here's an earlier discussion about why open source software isn't inherently highly secure:

https://forums.macrumors.com/threads/lastpass-hacked-again.2382255/post-32000460

----------
ETA
Something important to keep in mind is that open source code is not a guarantee of safety on its own, even with high numbers of users or very widespread adoption. For example, many major breaches of corporate systems have resulted from vulnerabilities in low level, infrequently reviewed or patched components in open source software, such as time lookup functions. These components are considered "boring" by developers so even when a bug is discovered, there can be a lack of interest in writing a patch and/or no clear responsibility for making a fix.

Here's an article with some stats:

Open source software security vulnerabilities exist for over four years before detection

GitHub research suggests there is a need to reduce the time between bug detection and fixes.

www.zdnet.com