More Password Managers

Well, me. Plus my wife, both my kids. My two sisters. Really, most of my family. A few people use Windows computers at work, but that’s a whole different thing.

I use Chrome for some things on my Mac (mostly just to access some Google accounts that I use less and less frequently, plus for an organization that I’m chair of the board, and my one professional client that I access maybe one day a month if something goes wrong) but it’s easy to copy and paste a password if I needed to. I also have FF on my Mac, just in case Safari isn’t working right and I want to check with another browser. Same, copy and paste would work fine, probably faster than keeping a physical notebook of written down passwords and looking them up.

Anyway, I’m thinking a lot of people who post here are Apple-only.

Even outside this forum these days fewer people even own computers and just use a phone and maybe a tablet as well. I know quite a few of those people. (Mostly my kids’ age.)

1 Like

After hearing BitWarden mentioned a number of times recently here & elsewhere, I took it for a spin. It does have useful features, it is open source, & peer reviewed. The quick deal-breaker for me was that (practically speaking) it requires you to put all your data in their cloud. As LastPass, 1Pv8 & many others do. You can’t maintain full control of your data as you can with a local data file. Some people (especially security professionals, but what do they know?) have mandates that do not permit their passwords to be stored in a cloud server. Whereas most of the commercial password managers currently available require that.

To be complete - BitWarden does offer an optional self-hosting server which I also looked at. But there is no BW Mac server version, only Linux & Windows, and almost all users will not have the skill set to install & maintain it. That why I say that practically speaking, the BW self-hosting option is off the table for almost everybody.

Enpassdoes let you maintain control over your passwords by saving your data in a local file. EnPass also supports many popular cloud services, folder sync, or local wifi sync. Your choice. Your passwords are never stored in a Enpass cloud. “Self-hosting” Enpass is trivial, just save the file to your local hard drive.

I’m trialing Enpass now and it has a full feature set. Many of the features that 1Password offers, except you can keep full control of your data if you want to. That’s a big one for me. I’m surprised that I haven’t seen Enpass mentioned more or more often reviewed against BitWarden & 1Password, actually I only heard of Enpass last week for the first time. I welcome other input pro or con, especially as I work toward making my selection of next password manager.

As a career IT professional managing thousands of passwords & data bits, I can’t afford for my password manager to be breached and I also need a strong useful feature set.

2 Likes

Actually that would be me. I have several Macs, an iPhone, iPad and Apple Watch. I have Firefox on my M1 MBP but honestly can’t remember ever using it.

Having said that, I use 1PW v7 but would prefer to not need it.

1 Like

For what it’s worth, me too. I use two Macs (MacBook Pro and iMac Pro), an iPhone and an iPad Pro. My wife uses only an iPhone. I rarely use any browser other than Safari. (Of course I don’t rely solely on keychain – I use 1Password 8, and am happy with it.) I am retired so I don’t have a separate work computer.

I actually know quite a number of people who use only Apple devices.

Type “Enpass” in the search window and at least a dozen threads discussing the app will pop up.

1 Like

Perhaps this year-old comparison of StrongBox, Bitwarden, and Enpass would interest you.

https://www.reddit.com/r/selfhosted/comments/t4lsx2/why_i_chose_strongbox_as_my_new_password_manager/

As I understand, Enpass has published only one security assessment by an independent party and it was of versions 5 and 6 for Android and Windows in 2018. As an IT professional, are you concerned with this level of transparency, especially given the errors disclosed in the report?

2 Likes

This idea of using the Apple keychain for everything hits the sweet spot for my significant other. I was looking at using a 1Password family plan, but she is very busy and doesn’t want to invest any time into learning to use a password manager or any other software unless unavoidable. She reminds me of Scotty in the Star Trek movie where he is speaking commands to a 9” screen Mac via its mouse. She is Apple only but there will be a few bumps to iron out such as passwords for Quicken. I am going to give it a whirl. :slight_smile:

As I understand, the new Unified (Beta) option for self hosting Bitwarden is built on Docker and since there is a macOS version of Docker, I’d guess that Bitwarden can be hosted on macOS.

Having said that, I agree that deploying self hosting (on any platform) is beyond the average user; it’s not something that I’d try.

1 Like

I’m somewhat inspired (well, at least motivated) to try and move all my 1PW logins to Apple’s Password and see how it goes.

It annoys me Apple has two locations for password management (Keychain Access and Settings/Passwords) and neither of them are in Applications like a ‘normal’ Apple app. Keychain Access could be put in the dock but its interface and functionality are terrible. You can move the Passwords setting to the dock by digging into System/Library/PreferencePanes but I don’t understand why they wouldn’t simply make it a standard app.

Apple Passwords requires a lot of futzing around which 1PW doesn’t - it’s just very clunky and unfriendly. Despite this, I’ll give it a go but I’m not too confident.

Yes, but in the main way I use an app like this - create a new login, or login to a site where I already have a password - it works fairly well to recognize the login, offer to create the password (or to save the password if you’ve filled it in for a site where you have an existing account), and does a good job recognizing a third party app on iOS to fill in the login.

And note that I was taking specially about iCloud Keychain, which on the Mac is in Safari’s password settings. Not Keychain access.

As I said, I don’t use it (in fact I’ve had passwords installed there from iOS that I recently made sure were in 1Password and cleared these out,) I need more from a password manager. Just to give an example, those sites that ask recovery questions when you create an account - I always create random words and store them manually in 1Password as extra fields. It means cut and paste when I need to fill them in, but that happens rarely. I also store a few secure notes in 1P, and email account details, passport info for the family (including scanned copies in case we need them if we travel), etc. But just for storing site user ids and passwords, including 2FA codes, it’s a nice what I’ll call entry-level system.

And there does appear to be a way to import a CSV password file on a Mac. I did a similar import when I started using 1Password when I moved from Lastpass 6 years ago.

  1. What prompted you to leave LastPass 6 years ago?
  2. What criteria lead you to choose 1Password?

I think I’ve mentioned this before, but

  1. The sale of Lastpass to LogMeIn immediately made me want to switch to something else. I was super-worried that a company that wasn’t focused on a password manager, run by the people who designed it and managed it for years, would likely one day be a problem.

  2. When I first bought a Mac in 2007, I wasn’t using a password manager, and I chose 1Password. But I switched to Lastpass in 2009 when I bought my first Android phone. At the time 1Password did not have a good solution for Android. So, I had a history with 1Password, and I like their model for cross-device sync, and I’d already switched to iPhone by then (though I believe that 1Password has a real solution for Android now, too.). At that point I probably also thought about doing a family plan for everyone, but I know my wife has no interest in it at all, so I don’t think that’s happening. She was a “write it in a notebook” person for a long time until she now has everything in iCloud Keychain.

When I imported everything into 1Pass in 2017, I spent time in Lastpass changing all of my user ID and password fields to the word “nothing”, erased all my secure notes, and left it for a bit, then erased everything from the account, then a week or so later deleted my account. I wanted to be absolutely sure that my data was worthless in case Lastpass didn’t really delete the account and somehow somebody had figured out how to hack into accounts. I wasn’t even thinking about backups being stolen.

2 Likes

Wow. Yes, that is of concern. And yes, those are great links. I read it all, and will dig a bit deeper as well. Thanks.

BTW: the firm that did that assessment years ago (never of Mac version, never of iOS version) seems to have not published anything new on their website in 2 or 3 years since, which also raises questions.

It’s really difficult to believe the sad state of available password managers. Seems like all of them require your passwords on their servers, and the 1 with good features that lets you maintain full control of your data has apparently been avoiding any serious assessment while saying that security is a high priority…

When I looked at the link you provided, it seems to be instructions for importing a password file to/from Safari, not the Apple Keychain.

I’d think that to import/export passwords to/from the Keychain, it needs to be done from the Keychain Access app itself, as discussed here:

It looks like Keychain Access prevents a user from migrating away from it since, according to the page, “You can’t export passwords from Keychain Access.” By selecting older version of macOS on this page, this prohibition became apparent with macOS Big Sur 11.0 (since I don’t see this warning in older versions of the Keychain Access User Guide.

This lockin troubles me.

Yes, I am talking specifically about iCloud Keychain, which syncs using iCloud end to end encrypted with all iCloud Apple devices. Not keychain access. These are the passwords that are available in settings / passwords on iOS and in the Passwords tile in Safari settings on MacOS.

It doesn’t do secure notes. But Apple already has a Notes app that can do end to end encryption if you need that, and iOS 16 and Ventura now allow the notes encryption to be unlocked with your device passphrase and biometrics. (They used to use a discrete password that you created yourself. They still can - you just have the option to use your passphrase or Face ID / Touch ID to unlock if you wish.)

As I think previously noted, Apple cannot decrypt iCloud Keychain. To Apple it’s just a random blob. (Well, pseudo-random).

1 Like

There is no difference between Safari and iCloud Keychain password database.

8 posts were split to a new topic: Tricks for reading paywalled articles

I agree with everything you’ve said here and I still use 1Password version 7, too. Do you have any idea what you’ll use when version 7 finally breaks?

NB Safari on iOS (and iPadOS, not sure about macOS) will auto fill credit card data, including CVVs (remembered on-device).

But it’s not part of the iCloud Keychain, as far as I know, it’s a separate setting under Safari auto-fill “Saved Credit Cards”. It does seem to be synchronised, somehow.

Emergency Access by someone with power of attorney or other designation in case of injury, illness, stroke, etc.

Our solution to this is my wife’s master Password Wallet password is in my 1Password vault and vice versa…and our son is on our 1PW subscription with access to a 911 vault which has the codes for all of our computers and devices and garage code and he has a key…and he also has a paper copy of those in his safe. Once he gets the 911 vault he becomes us and can get into iCloud and whatever else he needs.