Rick, that is another reason why I’m not moving from 1Pwd7 to 1Pwd8: their greed! I crunched the numbers and discovered that you will pay MORE over the life of 1Pwd8 via subscription than you would just upgrading a standalone application every 2 - 3 years. IIRC, the subscription cost passed the standalone cost after around 20 months. And that was for just 1 person as I do not need anything else. I guess I’ll eventually have to go back using 3M’s password manager!
BitWarden for me. Can’t be beat for free or even the $10/yr that I pay.
I’ve been using 1Password since 2007, and removed all of my passwords and info from a Pages/Works doc. I’m not sure what the version was then. I have about 400 items in there now. Probably need to do some pruning. I’m not a fan of the passwords being in the cloud. I’ve been using Authy on my iPhone for a few years for a few sites. And, also I use Step Two on my Mac. Looking forward to Passkeys.
Apparently the exploit used to hack the LastPass developer’s laptop was a problem with Plex for which a patch had been released more than two years prior:
1 Like
Backups are possible with BW but the big drawback of it for me is there are no file attachments…a lot of my PW manager entries have pdfs or images attached like the Driver License and Passport ones have images of the actual documents in addition to the numbers in the various fields. It’s also less elegant than 1PW…and if I didn’t need attachments I would seriously consider it. In addition, secure note entries have a fairly limited character count and no formatting is possible…which again is something I use for a lot of chronological documents that I prefer to have encrypted. I’ve also evaluated Enpass and in the absence of backup capabilities in 1PW v8 would switch to one of them when/if v7 quits working.
As it is though…there is a local copy of the vault on each device and if it turns out to be actually encrypted on disk (which I believe to be the case but haven’t verified yet)…then it does get backed up by TM and for those who want daily incremental backup copies similar to what v6 and v7 do then any of the various sync apps can easily do this for us. Not as elegant as a backup capability within the app…and I don’t understand why it’s not already included therein…but as a work around it’s probably acceptable.
Yep…me too…but if the data is actually encrypted and stored locally in the Library folder as indicated then that will get backed up by TM or CCC or whatever and one can easily schedule a CCC task to do the same daily backup that v6 and v7 do now…it will just happen outside their app. I’m not entirely sure why they don’t just include this capability in the app and have a note in with them to verify that the copy there is indeed encrypted and backup-able by whatever means one desires…will report back if/when I get an answer.
I used last pass premium for years, but got uneasy with the changes in ownership; I switched to 1password, originally v7 and jumped to v8 when it was available. Its been a smooth transition, and while I was hesitant to use it for the 2nd factor auth, it really is so smooth, that I switched from authy to letting 1password handle it (yeah I know its a compromise).
I havent had any issues with v8 being electron; I wouldnt have known if others hadnt kept pointing it out.
1 Like
Ok, replying to myself since I said I would report back after discussions with the 1PW team.
Short answer.
There is sort of a way to do your own backups of 1PW data that is normally stored at 1password.com…and AFAIK this applies to both v7 and v8 with vaults that are stored there. Local vaults stored on DropBox or wherever continue to be backed up daily by v7 but are not allowed in v8. And their veil of corporate speak that is used to justify some of the lost features between v7 and v8 seems to be just that…doublespeak to justify their business decisions.
Longer answer.
As you know 1pasword.com uses both a Master Password and a Secret Key, neither of which is ever sent to the cloud…all local data is encrypted on disk and only decrypted in RAM. Previously, 1PW said that the use of both of those was what required data to be stored online only and not locally…their tech admitted in our conversation that this was not the case. They claim that their dual encryption makes their product more secure than storing locally…but essentially they just use 2 passwords to increase entropy and there’s nothing different about the Secret Key than the name and the length. Arguably…this makes their system more secure at least theoretically from a math standpoint depending on the actual length of your DropBox (for instance) and Master Password and might provide greater entropy. However…this is only true from a theoretical math standpoint…from a practical standpoint if the combination of Master and DropBox provide say 1 million centuries to crack both then if their system provides 2 million centuries that’s insignificant. As a long time IT security guy…I understand that better can often be the enemy of good enough…and personally I don’t really depend on the second password at DropBox to provide additional entropy…yes, it could be cracked and my data stolen but I essentially assume that the encrypted vault blob at DB could be exfiltrated so it’s only the Master Password protecting my data…hence having a long and secure Master Password is valid.
I’ve considered all the ‘defects’ in v8…subscription only, no DropBox, Electron client, and no inherent backup and the only one that actually matters (at least to me) is the backup issue…the others are things I’m willing to live with because to date 1PW has been and remains the best password manager on the market.
So…according to their tech this is how things work.
Encrypted data is maintained on both their server and each of a user’s devices and is only decrypted in RAM. When a change is made in data anyplace…that change is encrypted on device using both the Master Password and Secret Key and then stored to disk. The encrypted blob is then synced to the cloud and thence to the other devices…but the actual encryption and original storage is done locally (this to means that their “it only works online”) is just corporate BS to enforce the use of a subscription…personally I think they could have enforced that and still allowed local/DB/iCloud storage but how they run their business for profit is up to them and I can see some advantages in doing what they’ve done even through I don’t agree with it).
On macOS…the encrypted data is stored locally at ~/Library/Group Containers/2BUA8C4S2C.com.1password/Library/Application Support/1Password/Data…and as such is backed up by Time Machine if one has it running. Since the location is known…it would be trivial to make a backup copy of this folder using CarbonCopyCloner or any of a dozen other backup/sync apps to make backups to a location of the user’s choice including DB or iCloud or wherever…thus providing the organic backup and restore capabilities that any security professional would demand. I asked why…since this was obviously possible…the app didn’t include this and scheduling as a matter of duh, why not…and got no good answer except corporate doublespeak about how their redundant backups and data centers made such a thing unnecessary. I postulated a situation to them involving some bad guy getting into their system with some sort of ransomware that (a) encrypted their already encrypted servers holding them for ransom, which would obviously take the servers offline but in the process the now corrupted blob got synced to all user devices making users have no data. For whatever reason their servers remained offline for some time…and while they admitted that the TM or other backups that some savvy users made could be restored to the users device to get the user back in business…they didn’t have a good answer to the situation I offered except “trust us”.
Frankly…they probably do have sufficiently redundant and offline backups and replicated data that their servers going offline after such a corruption is extremely unlikely…but as a long time Windows sysadmin and IT security guy…being able to bootstrap myself independent of anything they’re doing seems prudent. They did also admit that if I restored that backup…only my Master Password would be required to decrypt the data and not the Secret Key…so it’s not clear how the Secret Key plays into the whole backup/thing…but if one restores the folder above to your macOS computer it then decrypts with your Master Password and you’re back in business. Sync with your other devices would have to wait until their servers were restored though…at which point their blob and your blob would sync and then sync via their server to your other devices.
So…at this point I’m happy that I can do my own backup and restore if it became necessary and while I prefer to keep my vaults on DB, I can live with using their server to sync instead. And…having surveyed the available alternatives to 1PW…even the I think cropped v8 compared to v7 is still better than any of the alternatives. It’s not cheaper than BitWarden and perhaps Enpass either…but neither of them is as fully featured and provides for as many categories of entry as 1PW does. In particular…1PW provides the ability to have Secure Documents and while some of the alternatives do this as well none that I’ve found allow formatting in those secure documents and none of them allow attachments to entries…for instance if you use 1PWs Passport or Driver License categories you put in all the numbers but can also attach a pdf or jpg of your actual passport/license as well.
3 Likes
From a March 11, 2023 article in the Wall Street Journal, another reason to keep using password managers:
Recently published work from researchers at several Chinese universities and the University of New South Wales in Australia has shown that new generative artificial intelligence is now so good at guessing what tweaked passwords we’ll come up with that our habit of using slightly modified passwords could become nearly as big a threat to our cybersecurity as reusing passwords.
3 Likes
I’m jumping in late here. As a PasswordWallet user I’m wondering if there are any advantages to switching to a subscription system like 1Password.
PasswordWallet seems to work ok. It synchs via DropBox though, and that doesn’t always happen automatically. So if there have been changes I sometimes have to force a synch on my current device to make sure I have the latest info.
How does 1Password do its synching?
As I understand, the Secret Key is stored locally and never changes after being created (or synced from another of the user’s devices). Since it is never stored on 1Password’s server, it couldn’t be corrupted in your ransomware senario.
Thus it’s already present (and intact) when you restore the vault so only the Master Password is needed to decrypt the vault.
I’m curious though:
- Where on the local drive is the Secret Key kept, and
- Is there any impediment to restoring it from an ordinary backup?
(After all, you need to be able to recover if the Secret Key is corrupted by gamma rays or by any other means.)
It’s stored in the login and iCloud keychains.
PW is good for what it does…but it has some drawbacks. Used to use it myself and wife still does. Sync between devices doesn’t work transparently, the auto fill of web pages is cumbersome, it has limited storage capabilities if you want the pre formatted records for passports or whatever…and a big one is no secure notes which I use heavily. Also…it’s supported by Sanford but he’s essentially a one man shop, has largely moved on into other interests in his life, and has zero interest (I know because I asked him) in adding any of the additional capabilities or solving its issues.
So…for me…it’s just not good enough any more.
1PW OTOH…just works…sync via either DB or iCloud or their servers is automatic and much like macOS just works. And it has the additional features of a more modern app…and it isn’t supported by a one man disinterested shop.
That said…it still has its faults. The company sold a large chunk of itself to some VC people…they claim they’re still ‘in control’…but we know that VC people want ROI. Nothing wrong with that…but it’s obvious that the company’s intended market now is primarily the business market and a lot of the things people don’t like about the new v8 reflect that lower costs and increase revenue and hence profits mindset. However…for most serious geeks…the lack of local backup and restore capability is the biggest deal with v8…the rest of the complaints are annoyances. And with their recent disclosure of where the local copy exists and knowing that it can be backed up and restored eases a lot of concerns.
And all that said…1PW is still far and away the best app in its category despite the drawbacks in v8…I’ve done a bunch of testing of the alternatives and either they have the same issues with backup and restore or they lack critical features that serious IT security geeks want. So…for now, I’m staying with the previous v7 which avoids the v8 issues…and if it ever breaks then I will likely upgrade to v8 unless one of its competitors seriously upgrades their product. I’m actually pretty sure that their redundant data centers and backups and Secret Key and all is actually well thought out and implemented…but as a long time IT security guy…the ability to backup and recover from my end alone is a critical, non negotiable requirement. My password manager is the singularly most vital app and contains my most valuable (to me) data…and the ability to recover it in a worst case scenario with zero help from the company or internet is critical…it’s right up there with being faithful to my spouse and your word is your bond and a deal is a deal to me.
Other people have different opinions…but you asked. I don’t like the subscription option…but have had one for several years despite my primary 1PW vaults being on DB…their server copy which I manually update is part of my backup strategy. The non native macOS client I don’t like but that’s a quibble. The other v8 issues are also quibbles except for the backup and restore thing…and we now know how to handle that.
The Secret Key is essentially just a second password that is used to…for lack of a more sophisticated explanation…double encrypt your data. Nothing wrong with that…but they state that it is so much better than your Master Password and (for instance) your DropBox or iCloud password.
Because of its length…then mathematically they are correct in saying it is more secure, unless your Master or DropBox passwords are of equivalent length…but as a practical matter it isn’t really more secure. The difference between 10,000 centuries to crack and 100,000 centuries is irrelevant since these days the only factor in passwords that matters is length.
The Secret Key is originally calculated when one establishes your subscription account…and I have no idea where it is calculated (their end or yours) but they say they Never know it so I assume on your end….but as I said it’s just a second password which increases the overall entropy and makes the cracking time longer…but once it gets to 10 million trillion centuries (or whatever the number Steve Gibson’s haystacks page calculates…making it 100 million trillion centuries simply doesn’t matter…for the vast majority of us with secure long master passwords th bad guys will simply move on because the cost to crack isn’t worth what they might get out of it.
@PW’s security is just fine…they just add a bunch of marketingspeak to claim how they’re so much better…but while they aren’t lying they are splitting hairs and using technically correct but irrelevant mathematical data to claim they’re ‘better’.
Thanks for all the extra detail!
One reason I’ve stuck with PW is I tried another one once (can’t remember which, maybe Last Password?) and the problem was the cumbersomeness of getting it to work with some sites, especially Japanese sites.
PW on the other hand “just words” all the time.
As we both noted, syncing between devices leaves some to be desired. I usually have to force a sync on the new device. But after that it’s fine.
When you mention secure notes, the entire wallet is secure. So isn’t that enough?
Another reason I’ve stuck with PW is that none of the other ones, including 1 Password, have a feature to import from PW!
When you mention secure notes, the entire wallet is secure. So isn’t that enough?
Yes… but the Secure Note in 1PW is essentially an RTF file that’s encrypted…for instance one of mine has all the design details and related info about our home network in a formatted text document…this is something that PW won’t do. But the note has details in it that need encrypting so Apple Notes isn’t adequate for that even with their encryption. PW does have a notes field in each record…but it’s limited in size and isn’t formattable for ease of use.
We just received an eMail ad, Subj: “William, tired of resetting your passwords? We can help.” for “LastPass Premium” 30 day free trial from AOL Member Services, AOLMemberInfo@comms.aol.net, for “ID Protection by AOL.” Has LastPass been sold to AOL (Yahoo Inc.)?