Exactly why I brought it up. I can’t recall exactly when I started using it, but at least 12 years ago now and I’ve never seen any reason to switch.
LastPass was my first password manager, and I chose it at that time because, although my own computers have always been Macs, I often needed to login to one site or another from public computers in airports and hotels and e-cafes in Thailand, machines that were usually running Linux.
LastPass felt safe for that and for me always worked on every machine. It’s like Gmail in that respect, and the two of them together made traveling easy.
Also on 1PW 6.8.9 on MacBook Pro running Monterey 12.3.1. Was intending to stay on it until Rosetta goes away but may now make the move to KeePassXC sooner than that. Many thanks to Josh for this article, I didn’t realise there were feasible alternatives out there. The subscription model and being forced to live in their cloud are deal-breakers for me. Like sto I need a browser extension, great to know there are other systems out there with them.
Aren’t you sacrificing a lot in security by using an open-source app? It seems to me, not knowing a lot about this side of the equation, that it can open up vulnerabilities by its nature. I’m not sure that moving from a password manager that stores your data on their servers to one that gives you the option to store locally but may be vulnerable is a good trade. After all, if you need to share data with other devices, you’re going to be storing you data on somebody’s servers, aren’t you?
I am looking forward to your TidBits book on Mac Users and Synology. On the advice of a friend, I moved from a Drobo to a Synology. Talk about un-Mac-like, I always feel like I’m trying to find a light switch in an unfamiliar room. I don’t know why when I added a 1GB file I had to replace 3 4TB drives with 8TB drives and I still have no space left.
Have I understood correctly: 1PW8 only stores data in the cloud and therefore if you have no internet connection you can’t access your passwords? I suppose the argument might be that if you have no internet connection you don’t need passwords but, bearing in mind that vaults contain a lot more than just passwords, this sounds like a major step backwards.
Like some others here, I stayed on 1PW6 for a long time - it did all I needed it to do and did it well.
I’d welcome an expert (re)view on the Apple Keychain, it’s looking more and more attractive for my needs at the moment.
That’s the great thing about encryption algorithms: knowing the method shouldn’t make it any easier to decrypt a blob of random data. This doesn’t mean that open source is more secure, but with open source an expert can audit the algorithms to ensure they are secure - something that can’t be done with proprietary methods. And proprietary algorithms that are trying to ensure security by obscurity can be weaker than known good open source algorithms for encryption.
Having done a pretty complete survey of the alternatives to 1PW myself…LastPass suffers from the same subscription and loss of features issues that is causing many 1PW users to seek alternatives. Moving to it doesn’t solve any of the issues. If those issues aren’t important to you…then there’s no real need to leave 1PW…but within those issues LP is a decent alternative.
It’s local storage on device only…unless something has changed recently in the v8 beta there is no ability to backup and/or restore a copy of your data to the location of your choice…and they’ve deliberately IMO designed their new encryption process to disallow use of any local storage (i.e., local SSD or network share or DropBox)…or perhaps that’s a deliberate decision rather than an algorithm forced decision. Whether their new encryption process is better or worse…or whether it is a case of better is the enemy of good enough…is a different discussion. Your devices will continue to operate and provide passwords with no internet connectivity…but won’t sync and in the admittedly low likelihood that the 1PW servers disappear the ‘master copy’ of the data disappears. I could live with sub and their servers and the funky app if I have to…but for me and numerous users who have said so over on their forums…the lack of backup and restore by the user to a location of the users choice outside of their servers and the lack of any sync without using their servers is a hard no. Their response has been essentially…we’ve made our decision, goodbye…but our way is sooooo much better and you just don’t understand how it is sooooo superior to the way you might want to do things.
No. In theory, open source is more secure since vulnerabilities are more quickly spotted.
Just my own. (Though I still have my 1Password vault in their cloud as well.)
I have considered pitching it to Joe, and it’s a book I would love to do, but I barely have time to keep up with the ones I’m already responsible for. My review is in the early stages, but the Synology is the easiest server I have ever set up or maintained. I guess a macOS server would be more “Mac like,” but you’ll be hard-pressed to find something more usuable than Synology.
I doubt that will matter at all, as there will be no File / Open in 1Password. The local storage is just caching what the 1Password vault sends to the device. You’ll need to make an initial connection to your account on 1Password before that file appears, and restoring it is not really something that you can do.
Also it seems that it’s not just a “file”, but a complex series of items stored in ~/Library/Containers/1Password7, at least for the current release.
I meant to post this sooner, but, boy, am I glad that you posted this, because it made me consider exactly how I would do the same. What if I am traveling somewhere with just my phone and I’ve lost my phone (so have had to replace it ASAP), and have really slow internet connectivity, so that an iCloud restore would take way too long, so I need to set up the phone from scratch - how would I make sure that I can get the absolute minimum of what I need (including access to 1Password, even the subscription - how do I make sure that I have access to the needed secret key?) back up and running? As it turns out, I think I am all set, so long as I can get iCloud up and running and can get the App Store connected to download an app or two. But I am going to be testing this for sure (I have an old iPhone X that I can use to test this.)
Not to hijack this thread, but in all the password manager reviews, I haven’t seen any mention of SplashID Safe. I started using it on a Palm Pilot years ago and welcomed its migration to the Mac, iPad, and iPhone. It has its occasional bugs, but overall has worked well for me. Has SplashID ever been reviewed by anyone?
I’ve always been a bit skeptical of these kinds of claims about the benefits of open source. You may have access to the code, but do you have the knowledge, expertise, and time to audit the code? And if you don’t, how many other people do? And of those, who’s actually going to do it?
I recall that a serious vulnerability was found in OpenSSH a few years ago. Despite it being open source project, that bug had been in the code for a long time. When people began criticizing the project, the developers pushed back, noting that while many people and companies had been happy to use the software, few were willing to provide support to the project so that things like security audits could be performed.
Because it’s so difficult to do encryption right, I would expect that the developers of password managers would rely on well-established and well-tested encryption techniques and implementations in their software. Being open source is probably neither an advantage nor disadvantage as far as security goes.
1PW 8 has had export since late 2021. Both 1PUX (zipped, unencrypted) and CSV. They’re planning on adding an encrypted export too.
As much as I’m glad there are competitors, I am amazed at the people who want to save a few $ at the cost of potentially more complex and error prone setups.1Password is great especially for families. As I said before, of all the $50 (for 6 people) subscriptions 1Password is close to the top.
Yeah, it’s a perfectly fair point, which is why I said “in theory.” Sometimes that works out and sometimes not.
I wouldn’t recommend the KeePass setup to save money since the best iOS apps have subscriptions to enable the best features (and I’m happy to support the developers). For me, it’s really more about data ownership.