1Password Remigrant thread

[svenmany]

Do you think most people who use iphones, Android phones, and MS Office read the documentation of this software?
You are free to do so , but most people just want to get on their lives. I bet most people do not even read their car manual.

In the article you show that 10% of people use Safari, in other words, Codebook is not the right solution for 90% of desktop users. Hence why I say, its a deal breaker for 90% of desktop users. If it best suits any one, by all means use it but I can not generally recommend it as other password managers have superior capabilities.

Your original point was "Codebook is too obscure and I wouldn't say its the most pleasant thing to use". I believe you were referring to Secret Agent and the way it supports filling in passwords in browsers other than Safari.

I don't feel it's too obscure. They do advertise their "global keyboard shortcut" on their main web page; that provides a link to the details of Secret Agent. Also, the preferences of Codebook have a checkbox to enable the keyboard shortcut, which must turn on Secret Agent. That seems like a basic thing a user would set and that would enable password filling in other browsers.

I have no comment on it not being very pleasant to use since I've never tried Codebook. I'll trust your judgement on that one. If that is true, then that would be a major impediment to me using Codebook, since I spend most of my time in Firefox. Also, I sometimes use Windows and expect password filling to work in browsers. Secret Agent is the way they support that platform. If it's yucky, fuggedaboudit.

It's a significant advantage to me that 1Password works consistently on Windows, Mac, and Linux - and in all major browsers. And, even though I find their browser extension to be problematic, it is pretty full featured and works well most of the time.

1Password also supports a pretty powerful global autofill feature with a keyboard shortcut. I don't know if Secret Agent is as powerful. 1Password's global autofill even provides the password if I need it when I run "sudo" in a terminal or am prompted by the OS for administrator credentials. Setting that up is a bit obscure.

 

[gregmac19]

Do you think most people who use iphones, Android phones, and MS Office read the documentation of this software?
You are free to do so , but most people just want to get on their lives. I bet most people do not even read their car manual.

In the article you show that 10% of people use Safari, in other words, Codebook is not the right solution for 90% of desktop users. Hence why I say, its a deal breaker for 90% of desktop users. If it best suits any one, by all means use it but I can not generally recommend it as other password managers have superior capabilities.

“Do you think most people who use iphones, Android phones, and MS Office read the documentation of this software?”

I think that password management software is decidedly different from the things you mentioned.


“In the article you show that 10% of people use Safari, in other words, Codebook is not the right solution for 90% of desktop users. Hence why I say, its a deal breaker for 90% of desktop users.”

This is just your opinion. As I have pointed out several times, while Codebook’s Secret Agent is not as convenient as AutoFill, it still is easy to use. I regularly use it with Firefox without issue.


This thread is supposed to be about users migrating back to 1Password, and I apologize for it getting highjacked to discuss this topic.

 

[MacBH928]

Your original point was "Codebook is too obscure and I wouldn't say its the most pleasant thing to use". I believe you were referring to Secret Agent and the way it supports filling in passwords in browsers other than Safari.

I don't feel it's too obscure.

If you search youtube for a software and its not there, it is obscure

They do advertise their "global keyboard shortcut" on their main web page; that provides a link to the details of Secret Agent. Also, the preferences of Codebook have a checkbox to enable the keyboard shortcut, which must turn on Secret Agent. That seems like a basic thing a user would set and that would enable password filling in other browsers.

You are confusing obscure (not well-known/used/popular) with unsupported/no documentation. The documentation is there, the company might be well known, but the software itself has no many users. This reminds me of FreeBSD which seems to have great documentation, in development since like 1990 or earlier, but yeah...user base and community not so hot.

I have no comment on it not being very pleasant to use since I've never tried Codebook. I'll trust your judgement on that one. If that is true, then that would be a major impediment to me using Codebook, since I spend most of my time in Firefox. Also, I sometimes use Windows and expect password filling to work in browsers. Secret Agent is the way they support that platform. If it's yucky, fuggedaboudit.

I found the GUI ugly and password autofill confusing compared to other apps but do not not take my word for it, use it yourself and it might be pleasing to you.

It's a significant advantage to me that 1Password works consistently on Windows, Mac, and Linux - and in all major browsers. And, even though I find their browser extension to be problematic, it is pretty full featured and works well most of the time.

1Password also supports a pretty powerful global autofill feature with a keyboard shortcut. I don't know if Secret Agent is as powerful. 1Password's global autofill even provides the password if I need it when I run "sudo" in a terminal or am prompted by the OS for administrator credentials. Setting that up is a bit obscure.

There is no need to beat around the bush, 1password is the best overall password manager. It just have caveats and if those caveats are deal breakers for you then you should look else where.

This thread is supposed to be about users migrating back to 1Password, and I apologize for it getting highjacked to discuss this topic.

You are correct and we should not highjack the thread , just natural course of discussion to divert the topic. bound to happen. opt

 

[svenmany]

If you search youtube for a software and its not there, it is obscure

I misunderstood you; I thought you were saying the Secret Agent feature of Codebook is too obscure. I now think you’re saying Codebook is too obscure. I have no opinion on that.

This thread is supposed to be about users migrating back to 1Password, and I apologize for it getting highjacked to discuss this topic.

It feels on topic to me. I am looking at other products and am concluding 1Password is still my choice. So, I guess I’m a remigrant. Some give reasons supporting that point of view. Others push back when they think some of those reasons are off the mark.

 

[MacBH928]

Yeah I guess if you discuss the issues of other password managers it helps the "remigrants" perspective.

 

[maflynn]

So I've been using 1PW now for a few months and feel fairly comfortable with it, I wanted to see how BitWarden stacks up to it.

I exported 1PW and imported it in BW and I've been using BW now for the past couple of weeks. BW's usage has been seamless and I enjoy how the plugin works.

With that said, I think 1PW is still a better product, whether we're talking about the stand alone app (desktop & mobile app), website, reports, security, or the features 1PW offers

Finally, the fact that BitWarden is forcing its users to use 2FA kind of bothers me. I understand having only a master password is a single point of failure but, I really hate 2FA. I also hate being forced to use the app a certain way, I want to be the one making the decisions on how best to use the product I'm paying for. At this point that is a show stopper. I understand once my plugin is authorized I probably won't need to the 2FA portion but it still bothers me. I feel 1PW's secret key works better and provides a better level of security imo.

 

[MacBH928]

So I've been using 1PW now for a few months and feel fairly comfortable with it, I wanted to see how BitWarden stacks up to it.

I exported 1PW and imported it in BW and I've been using BW now for the past couple of weeks. BW's usage has been seamless and I enjoy how the plugin works.

With that said, I think 1PW is still a better product, whether we're talking about the stand alone app (desktop & mobile app), website, reports, security, or the features 1PW offers

Finally, the fact that BitWarden is forcing its users to use 2FA kind of bothers me. I understand having only a master password is a single point of failure but, I really hate 2FA. I also hate being forced to use the app a certain way, I want to be the one making the decisions on how best to use the product I'm paying for. At this point that is a show stopper. I understand once my plugin is authorized I probably won't need to the 2FA portion but it still bothers me. I feel 1PW's secret key works better and provides a better level of security imo.

how is 1pw autofill for you? Bitwarden is near perfect.

How are they forcing 2FA? Its a paid feature. I am on paid but i do not get promoted for 2fa nor I believe I have it turned on.

 

[maflynn]

how is 1pw autofill for you? Bitwarden is near perfect.

BW seems a bit better with personal details, passwords, are flawless.

How are they forcing 2FA? Its a paid feature.

As I mentioned, if I up the KDF iterations I'm being told that I need to enable two step login (2FA). I never received any notice that I had too, but this notice when I log in about the KDF iterations and the button from that leads me to the screen shot communicates that I will be required to use 2FA

Additionally this reddit thread details how BW is forcing 2fa
Forcing users to use 2fa is EXACTLY the right move!

As for 2FA being a paid tier option, that's not exactly correct, BW offers free 2FA, subscribers have more options to select from

Log in to Secrets Manager | Bitwarden Help Center

This article will help you understand the numerous ways to authenticate your identity with the Bitwarden Secrets Manager web vault.

bitwarden.com

 

[gregmac19]

BW seems a bit better with personal details, passwords, are flawless.

As I mentioned, if I up the KDF iterations I'm being told that I need to enable two step login (2FA).

Why in the world is there even an option for upping the KDF iterations? It seems to me that an option to change the number of KDF iterations is a tacit admission that the program with its default settings, is not as secure as it should be. And this begs the question, “Why doesn’t Bitwarden provide the most secure solution by default?” And how is the poor user supposed to figure out how many KDF iterations to specify?

I realize this is a tangent from the discussion, but this KDF iteration business boggles my mind.

 

[maflynn]

Why in the world is there even an option for upping the KDF iterations? It seems to me that an option to change the number of KDF iterations is a tacit admission that the program with its default settings,

I'm not going to disagree, and it is sort of on topic since we're talking about how 1PW measures up against its competitors. This all came up because LastPass and its breaches were only using 100,000 and the hackers could brute force the encryption.

as I kept researching this, I stumbled upon this video and it shows that BW was aware that the iterations were too low as far back as 2018 but waited until January 2023 to start using 600,000 iterations for new accounts and prompting existing accounts the following month to update it

I found his explanation on how it's used to be very helpful, and how I kept seeing in my googling yesterday and this morning people saying a good master password is needed and better.

Looks like 1Password uses an iteration of 650,000
How PBKDF2 strengthens your 1Password account password

Finally, I found this blog to be interesting. I've not seen this before, nor do I follow him, it popped up on my googling
Bitwarden design flaw: Server side iterations

 

[gregmac19]

I'm not going to disagree, and it is sort of on topic since we're talking about how 1PW measures up against its competitors. This all came up because LastPass and its breaches were only using 100,000 and the hackers could brute force the encryption.

View attachment 2254011

as I kept researching this, I stumbled upon this video and it shows that BW was aware that the iterations were too low as far back as 2018 but waited until January 2023 to start using 600,000 iterations for new accounts and prompting existing accounts the following month to update it

So BW waited five years to fix a known problem. Fabulous. And yet, a lot of people on here think that BW is great.

 

[maflynn]

So BW waited five years to fix a known problem. Fabulous. And yet, a lot of people on here think that BW is great.

Yeah, the audit highlighted the issue in 2018, but I think they didn't do anything until the LastPass breach and how people's data was getting compromised as they used 100,000 iterations as well.

2018 Audit:

 

[MisterSavage]

Finally, the fact that BitWarden is forcing its users to use 2FA kind of bothers me. I understand having only a master password is a single point of failure but, I really hate 2FA. I also hate being forced to use the app a certain way, I want to be the one making the decisions on how best to use the product I'm paying for.

I can somewhat see your point, but for the average joe who doesn't keep up with tech they just won't turn on 2FA unless you force them to. The adoption number Google reported a few years ago were shockingly low (to me).

90% of Users with Google Accounts Practice Unsafe Security. Do You?

Only a fraction of online accounts are protected with strong passwords and two-factor authentication. Don't be part of the 90 percent.

www.groovypost.com

 

[maflynn]

I can somewhat see your point, but for the average joe who doesn't keep up with tech they just won't turn on 2FA unless you force them to

I can't speak about the average joe, I can only pick a product that best fits my needs and I'd rather find a security solution that avoids 2FA for my password manager.

In the end, I decided, after comparing BW and some of the information regarding the KDF iterations, I'll be much happier with 1PW. Its a better fit, as the secret key offers protections and safeguards that I feel that 2FA doesn't

 

[MacBH928]

how bad is the 100,000 iteration thing is? because yes there could be "better" security but there is also sufficient security.

You say they kept the iteration unchanged for 5 years but no breach happened in those 5 years either.

 

[maflynn]

how bad is the 100,000 iteration thing is?

I'm not even going to attempt to answer this simply because I'm not a security expert but it is something that the audit pointed out, and BW felt that they also needed to change it. Seems like many people talking about lastpass mention that the KDF iterations are too low. So circumstancial evidense seem to imply that 100,000 is no longer considered adequate

You say they kept the iteration unchanged for 5 years but no breach happened in those 5 years either.

People leave their front doors unlocked at night, doesn't mean you can draw a conclusion that doing so is safe

 

[maflynn]

I thought 1Password had this functionality but I'm failing to find it on their site. I recommend confirming the strength of your password, of course doing it in an unknow website is risky. NordPass (maker of Nord VPN) does have such a feature

How Secure Is My Password?

Check how strong your password is and if it has been compromised in any breaches. Increase the security of your online accounts with NordPass password strength checker.

nordpass.com

One frustrating oddity I ran up against 1Password is when I changed my password to one that would take "centuries" yet be fairly memorable to remember and not awkward to type in (harder then you think). I found myself unable to unlock the 1Password app

It seems you need to use the old password in the app to unlock it, you will then be presented a message to reauthenticate. I was starting to panic when it wouldn't accept the new password. Only when I typed in the old one (in my panic) did things work out - not sure I like that but I'll keep that in mind the next time I change the master password

The hidden blessing in this little issue, was to make sure I have all of the details in the 1PW Emergency kit - 1PW re-downloads it, whenever you update your password. Its up to you to edit it and include your password. Its up to you to secure that emergency kit - since it has the keys to the kingdom, so to speak

 

[MisterSavage]

In the end, I decided, after comparing BW and some of the information regarding the KDF iterations, I'll be much happier with 1PW. Its a better fit, as the secret key offers protections and safeguards that I feel that 2FA doesn't

Glad you found something that fits for you. I paid for 1PW for years because I liked it but I'm happy with BW now.

 

[maflynn]

but I'm happy with BW now.

Yeah, we need to pick the best option for our needs, your priorities may not be mine.

For me, the major factor of selecting 1PW over its competitors, is the secret key. I avoid the 2FA hassle, but my account isn't at risk with a single point of failure.

 

[Mr. Heckles]

I can't speak about the average joe, I can only pick a product that best fits my needs and I'd rather find a security solution that avoids 2FA for my password manager.

In the end, I decided, after comparing BW and some of the information regarding the KDF iterations, I'll be much happier with 1PW. Its a better fit, as the secret key offers protections and safeguards that I feel that 2FA doesn't

Can I ask why you don’t want 2FA on your password manager? It’s not like you need to use it everyday, only when you set up a new device or the access your vault from online for the 1st time.

 

[maflynn]

Can I ask why you don’t want 2FA on your password manager?

Because I hate 2FA, its not the end all be all for securing your account and there are plenty of ways to circumvent 2FA.

the access your vault from online for the 1st time.

So I'll need to deal with 2FA daily, no thankyou

 

[Mr. Heckles]

Because I hate 2FA, its not the end all be all for securing your account and there are plenty of ways to circumvent 2FA.

you‘re right, but it does help.

So I'll need to deal with 2FA daily, no thankyou

You use the web version everyday? Why don’t you use the apps and extension?

 

[maflynn]

you‘re right, but it does help.

This is where the secret key is superior.

One could also argue that some people think they can use easy passwords because they have 2FA

You use the web version everyday? Why don’t you use the apps and extension?

One word - work pc

 

[Mr. Heckles]

This is where the secret key is superior.

I do agree

One could also argue that some people think they can use easy passwords because they have 2FA

it is a false sense of securit.

One word - work pc

My work PC I have the extension. I created a guest vault for work passwords and have that guest vault on my work computer. This way my personal passwords are on my work computer, I have a separate master password for my work password/guest vault, and I can access my work passwords on my personal account.
As locked down as my work computer is, I was able to use the browser extension on it.

The guest vaults are another selling point for me.

 

[Cromulent]

and there are plenty of ways to circumvent 2FA.

Not if you use something decent for 2FA. Get a Yubikey 5C NFC and you'll be protected from pretty much anything unless you give your key to someone else physically.