I am looking forward to your TidBits book on Mac Users and Synology. On the advice of a friend, I moved from a Drobo to a Synology. Talk about un-Mac-like, I always feel like I’m trying to find a light switch in an unfamiliar room. I don’t know why when I added a 1GB file I had to replace 3 4TB drives with 8TB drives and I still have no space left.
Have I understood correctly: 1PW8 only stores data in the cloud and therefore if you have no internet connection you can’t access your passwords? I suppose the argument might be that if you have no internet connection you don’t need passwords but, bearing in mind that vaults contain a lot more than just passwords, this sounds like a major step backwards.
Like some others here, I stayed on 1PW6 for a long time - it did all I needed it to do and did it well.
I’d welcome an expert (re)view on the Apple Keychain, it’s looking more and more attractive for my needs at the moment.
That’s the great thing about encryption algorithms: knowing the method shouldn’t make it any easier to decrypt a blob of random data. This doesn’t mean that open source is more secure, but with open source an expert can audit the algorithms to ensure they are secure - something that can’t be done with proprietary methods. And proprietary algorithms that are trying to ensure security by obscurity can be weaker than known good open source algorithms for encryption.
Having done a pretty complete survey of the alternatives to 1PW myself…LastPass suffers from the same subscription and loss of features issues that is causing many 1PW users to seek alternatives. Moving to it doesn’t solve any of the issues. If those issues aren’t important to you…then there’s no real need to leave 1PW…but within those issues LP is a decent alternative.
It’s local storage on device only…unless something has changed recently in the v8 beta there is no ability to backup and/or restore a copy of your data to the location of your choice…and they’ve deliberately IMO designed their new encryption process to disallow use of any local storage (i.e., local SSD or network share or DropBox)…or perhaps that’s a deliberate decision rather than an algorithm forced decision. Whether their new encryption process is better or worse…or whether it is a case of better is the enemy of good enough…is a different discussion. Your devices will continue to operate and provide passwords with no internet connectivity…but won’t sync and in the admittedly low likelihood that the 1PW servers disappear the ‘master copy’ of the data disappears. I could live with sub and their servers and the funky app if I have to…but for me and numerous users who have said so over on their forums…the lack of backup and restore by the user to a location of the users choice outside of their servers and the lack of any sync without using their servers is a hard no. Their response has been essentially…we’ve made our decision, goodbye…but our way is sooooo much better and you just don’t understand how it is sooooo superior to the way you might want to do things.
No. In theory, open source is more secure since vulnerabilities are more quickly spotted.
Just my own. (Though I still have my 1Password vault in their cloud as well.)
I have considered pitching it to Joe, and it’s a book I would love to do, but I barely have time to keep up with the ones I’m already responsible for. My review is in the early stages, but the Synology is the easiest server I have ever set up or maintained. I guess a macOS server would be more “Mac like,” but you’ll be hard-pressed to find something more usuable than Synology.
I doubt that will matter at all, as there will be no File / Open in 1Password. The local storage is just caching what the 1Password vault sends to the device. You’ll need to make an initial connection to your account on 1Password before that file appears, and restoring it is not really something that you can do.
Also it seems that it’s not just a “file”, but a complex series of items stored in ~/Library/Containers/1Password7, at least for the current release.
I meant to post this sooner, but, boy, am I glad that you posted this, because it made me consider exactly how I would do the same. What if I am traveling somewhere with just my phone and I’ve lost my phone (so have had to replace it ASAP), and have really slow internet connectivity, so that an iCloud restore would take way too long, so I need to set up the phone from scratch - how would I make sure that I can get the absolute minimum of what I need (including access to 1Password, even the subscription - how do I make sure that I have access to the needed secret key?) back up and running? As it turns out, I think I am all set, so long as I can get iCloud up and running and can get the App Store connected to download an app or two. But I am going to be testing this for sure (I have an old iPhone X that I can use to test this.)
Not to hijack this thread, but in all the password manager reviews, I haven’t seen any mention of SplashID Safe. I started using it on a Palm Pilot years ago and welcomed its migration to the Mac, iPad, and iPhone. It has its occasional bugs, but overall has worked well for me. Has SplashID ever been reviewed by anyone?
I’ve always been a bit skeptical of these kinds of claims about the benefits of open source. You may have access to the code, but do you have the knowledge, expertise, and time to audit the code? And if you don’t, how many other people do? And of those, who’s actually going to do it?
I recall that a serious vulnerability was found in OpenSSH a few years ago. Despite it being open source project, that bug had been in the code for a long time. When people began criticizing the project, the developers pushed back, noting that while many people and companies had been happy to use the software, few were willing to provide support to the project so that things like security audits could be performed.
Because it’s so difficult to do encryption right, I would expect that the developers of password managers would rely on well-established and well-tested encryption techniques and implementations in their software. Being open source is probably neither an advantage nor disadvantage as far as security goes.
1PW 8 has had export since late 2021. Both 1PUX (zipped, unencrypted) and CSV. They’re planning on adding an encrypted export too.
As much as I’m glad there are competitors, I am amazed at the people who want to save a few $ at the cost of potentially more complex and error prone setups.1Password is great especially for families. As I said before, of all the $50 (for 6 people) subscriptions 1Password is close to the top.
Yeah, it’s a perfectly fair point, which is why I said “in theory.” Sometimes that works out and sometimes not.
I wouldn’t recommend the KeePass setup to save money since the best iOS apps have subscriptions to enable the best features (and I’m happy to support the developers). For me, it’s really more about data ownership.
As I said in my earlier reply, open-source doesn’t guarantee better security, for the reasons that you list. But at least there is a way to audit the code for people who have the expertise. And in the case of encryption, there are well-know, well-documented open-source algorithms that can be used, rather than trying to “reinvent the wheel”. And, to restate what I said before, knowing the method used to encrypt and decrypt doesn’t make cracking well-designed encryption any easier. Relying on obscurity for security is dangerous, particularly when there are open-source solutions that are already well-observed.
Josh, this is the sentence that I believe confuses many folks: " The other notable change is that 1Password 8 will no longer let you store your password database locally. Instead, you have to use 1Password.com, which makes some people uncomfortable." AFAIK, 1Password 8 grabs your encrypted info from their server, stores a local cache on every device where you have the application installed (e.g. “1Password keeps a “local cache” of all of your data in a database that resides inside ~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/Data If you quit 1Password completely, disconnect from the internet, and then restore this folder from Time Machine, you can launch 1Password and it will unlock with the data that was present at the time the backup you restored was taken.” So once you have made the initial app install and unlocked with your secret key on a computer, you will have a local copy. In addition, as others have mentioned, v8 does now include the ability to export an unencrypted copy of your data. Those facts certainly assuaged my concerns about moving to 8.
I moved from a Drobo, which was pretty transparent but prone to failure. And at least once it did some weird thing where the OS gave it a new name (Drobo-1), so all the backups were looking at Drobo (which didn’t exist) instead of Drobo-1, which still appeared as Drobo everywhere other than in Terminal.
I just find the huge number of packages that must be dealt with bewildering. And I still don’t understand why it’s eating hard drives; I started with 5 4GB drives which ran out of room. I’ve replaced 3 of them with 8GB drives and it once again ran out of space.
Sorry. I know this is not what the thread’s about… (Doh!)
There is a cached copy, so you won’t totally lose access if you can’t reach the server. However, in my experience with 1Password 7, you can’t export a vault stored in the 1Password cloud. I had to first copy my vaults to a local copy. So my concerns are twofold:
I won’t be able to export at all in 1Password 8. Or at least, not as smoothly as I did in 7. Granted, I haven’t tried the beta yet. (Don’t really want to risk my passwords to a beta.)
I wouldn’t be able to sync passwords if I couldn’t reach the server.
I probably could have elaborated more on that in the article, but it was long enough already
Yeah… that’s why I could never do Drobo.
GB? Did you mean terabyte? I put four 6-terabyte drives in mine and have plenty of room. There are some Synology packages that require a bunch of other dependencies. I don’t know off the top of my head if it makes it easy to figure out which package requires which other package.