Not to hijack this thread, but in all the password manager reviews, I haven’t seen any mention of SplashID Safe. I started using it on a Palm Pilot years ago and welcomed its migration to the Mac, iPad, and iPhone. It has its occasional bugs, but overall has worked well for me. Has SplashID ever been reviewed by anyone?
I’ve always been a bit skeptical of these kinds of claims about the benefits of open source. You may have access to the code, but do you have the knowledge, expertise, and time to audit the code? And if you don’t, how many other people do? And of those, who’s actually going to do it?
I recall that a serious vulnerability was found in OpenSSH a few years ago. Despite it being open source project, that bug had been in the code for a long time. When people began criticizing the project, the developers pushed back, noting that while many people and companies had been happy to use the software, few were willing to provide support to the project so that things like security audits could be performed.
Because it’s so difficult to do encryption right, I would expect that the developers of password managers would rely on well-established and well-tested encryption techniques and implementations in their software. Being open source is probably neither an advantage nor disadvantage as far as security goes.
2 Likes
1PW 8 has had export since late 2021. Both 1PUX (zipped, unencrypted) and CSV. They’re planning on adding an encrypted export too.
As much as I’m glad there are competitors, I am amazed at the people who want to save a few $ at the cost of potentially more complex and error prone setups.1Password is great especially for families. As I said before, of all the $50 (for 6 people) subscriptions 1Password is close to the top.
1 Like
Yeah, it’s a perfectly fair point, which is why I said “in theory.” Sometimes that works out and sometimes not.
I wouldn’t recommend the KeePass setup to save money since the best iOS apps have subscriptions to enable the best features (and I’m happy to support the developers). For me, it’s really more about data ownership.
2 Likes
As I said in my earlier reply, open-source doesn’t guarantee better security, for the reasons that you list. But at least there is a way to audit the code for people who have the expertise. And in the case of encryption, there are well-know, well-documented open-source algorithms that can be used, rather than trying to “reinvent the wheel”. And, to restate what I said before, knowing the method used to encrypt and decrypt doesn’t make cracking well-designed encryption any easier. Relying on obscurity for security is dangerous, particularly when there are open-source solutions that are already well-observed.
1 Like
Josh, this is the sentence that I believe confuses many folks: " The other notable change is that 1Password 8 will no longer let you store your password database locally. Instead, you have to use 1Password.com, which makes some people uncomfortable." AFAIK, 1Password 8 grabs your encrypted info from their server, stores a local cache on every device where you have the application installed (e.g. “1Password keeps a “local cache” of all of your data in a database that resides inside ~/Library/Group Containers/2BUA8C4S2C.com.agilebits/Library/Application Support/1Password/Data If you quit 1Password completely, disconnect from the internet, and then restore this folder from Time Machine, you can launch 1Password and it will unlock with the data that was present at the time the backup you restored was taken.” So once you have made the initial app install and unlocked with your secret key on a computer, you will have a local copy. In addition, as others have mentioned, v8 does now include the ability to export an unencrypted copy of your data. Those facts certainly assuaged my concerns about moving to 8.
1 Like
I too have used 1Password since version 4.
Login ago, I used to buy the family plan & the Windows version…
Started moving over to Enpass a few years ago.
Both my Linux System & Windows 11 system are running Enpass without issue.
So for now am maintaining two password data bases.
So when 1Password stops working I’ll be ready to move to Enpass.
1 Like
I moved from a Drobo, which was pretty transparent but prone to failure. And at least once it did some weird thing where the OS gave it a new name (Drobo-1), so all the backups were looking at Drobo (which didn’t exist) instead of Drobo-1, which still appeared as Drobo everywhere other than in Terminal.
I just find the huge number of packages that must be dealt with bewildering. And I still don’t understand why it’s eating hard drives; I started with 5 4GB drives which ran out of room. I’ve replaced 3 of them with 8GB drives and it once again ran out of space.
Sorry. I know this is not what the thread’s about… (Doh!)
I switched from Dashlane to Bitwarden when Dashlane raised their prices. I have been very happy with it.
There is a cached copy, so you won’t totally lose access if you can’t reach the server. However, in my experience with 1Password 7, you can’t export a vault stored in the 1Password cloud. I had to first copy my vaults to a local copy. So my concerns are twofold:
- I won’t be able to export at all in 1Password 8. Or at least, not as smoothly as I did in 7. Granted, I haven’t tried the beta yet. (Don’t really want to risk my passwords to a beta.)
- I wouldn’t be able to sync passwords if I couldn’t reach the server.
I probably could have elaborated more on that in the article, but it was long enough already :-)
Yeah… that’s why I could never do Drobo.
GB? Did you mean terabyte? I put four 6-terabyte drives in mine and have plenty of room. There are some Synology packages that require a bunch of other dependencies. I don’t know off the top of my head if it makes it easy to figure out which package requires which other package.
Ah. Yes. TB. I’m an old-timer, I guess. I still remember my first exorbitant 20MB drive…
2 Likes
Yes…there was a similar discussion about the subscription model…and some folks left and some decided the features were worth the subscription price. However…losing features that one wants and uses is a whole ’nuther thing.
The local storage is in some sort of SQL or mySQL or whatever database they use but from their description there is no built in daily or manual backup like v7 and earlier have. While a clone and/or TM would probably actually backup whatever it was…the file is marked open anytime the app is running and whether it gets backed up and where is a whole lot further down the database rathole than the vast majority of users will or can go. A simple preference that exported a single encrypted backup copy of the database with an associated import function would allow a user to have an easily accessible copy of his/her data. However…according to them…since this would be exported on your computer/device it would lose the protection of their Secret Key and hence not be secure…so they’re not allowing it because their server will simply never go down. Hogwash…that’s just a bunch of marketing speak and justification for their taking a user hostile step…but as their business model has clearly changed from individual/family users to corporate/business users, despite their protestations to the contrary…it’ pretty clear that they’re not all that interested in individual users anymore. One of the subreddits I frequent has a saying…”when somebody shows/tells you what they are…believe them”.
I’ve said it before…I don’t like subs…but I have one for DropBox, Adobe, iCloud and others because I like and use the features enough to make accepting the sub acceptable to me. Removing features that I want and use is another thing entirely…and even if I was completely happy with everything else they do…I spent a lot of years in the computer and IT security business…and depending solely on a single source to backup your data is simply nuts…and even more so when that source is not under your control. My point is that even with their Secret Key and all their “it’s simply better” hogwash…the algorithm runs on your device…so the Secret Key and Master Password and their special sauce is running on your device…so from a technical standpoint exporting a backup copy to a location of your choice and reimporting that as the master copy of the data later on if necessary should be a pretty easy thing to do…but it’s not…because they’ve decided that their way is the only way and users can assimilate or go away.
I’m not even blaming them for making this business decision…they sold a bunch of the company to VCs no matter how big a bow they try to put on it…and the VCs want a profit so the company is delivering for their part owners and the founding partners or whoever else has a piece of the pie. What I’m blaming them for is trying to blow smoke up everybody else’s skirt and tell us how wonderful an idea this is…and how much better their way is than whatever way users are currently doing it is. I haven’t checked out their beta forum lately…if v8 ever actually gets released I’ll give it a whirl…and I’ve previously stated that sub, no DropBox and crappy client I dislike but I could live with those. Their responses basically say…our way is better, your way is bad…and we’ll think about eventually adding backup/restore capability later, maybe. Then they lapse into more marketing BS to obfuscate the issues and essentially refuse to explain why they can’t provide the features they’re deleting. My opinion is that the reason is to make money for the VCs and company but they don’t have the guts to admit that.
All that said…v7 is a fine product and I’m still using it today…and will continue to use it until it breaks or until v8 has the capabilities I and a lot of people want…backup and authoritative restoration of their data to and from a location of the user’s choice…not 1PW the company’s choice.
2 Likes
As I said…it’s been awhile since I looked at it but back then unencrypted was the only option…and there was no backup/restore capability at all. Export (which they said is so your data is not held hostage) is aimed at moving to another platform…not at making a copy of your data under your control in ~ or DropBox or wherever you choose to put it along with the ability to restore that data and have it overwrite the “master copy” on their server should this be necessary. They’ve probably got perfectly adequate backup and restore in their data centers as well as multiple copes and corruption recovery things in place…but those are their backups and not the user’s.
I will test it when it gets released to see it whatever it becomes meets my needs…but at this point it’s in beta and entrusting your password security and database to beta software seems pretty high on the not too smart scale to me…the password database is about the most important piece of data one has.
1 Like
I have 1Password 7 with a subscription and I have File / Export when I select a vault from my account.
What is meant by and why is a browser extension important?
Besides the manual Export command (which counts as a backup fully under your control) 1Password has a command line interface that you can script an automated backup. Googling brought up several examples. Backup as frequently as you want. I think I manually exported once since they went in the cloud several years ago.
The command line interface would allow you to do this. But I have no idea why one would want to make bulk changes. It’s not like you can make changes/mistakes to more than a single password at a time.
The database is actually common with version 7. 8 adds SSH keys, which 7 can read but not change. Most of the changes these days seem to be UI and/or performance related. I agree with the importance of the data. That’s why I trust 1Password, with its corporate resources and history of performance.
The company is not the spunky little Mac-focused Canadian company any more. They’ve moved to where the money is, the corporate customers. There’s payoff for consumer users even if sometimes seems like you’re 2nd fiddle. A password database that is sharable among several people in multiple places more or less requires the architecture that they’ve implemented. That architecture makes family password management easy. My wife gets it. My kids get it. My dad gets it. I understand that use case is not everyone’s.
2 Likes
Add another one. I’m still using 6.8.x on Monterey - Mac Mini M1.
@sinarades: A browser extension is an add-on that links to your password database so you can fill in usernames and passwords without having to leave your browser to copy and paste login items from your password app. In some cases it can also capture new logins and add them to your database, fill in one-time passwords and the like.
1 Like
A very timely article and discussion for me. . . This morning when I tried to repair the corrupted 1Password extension in Brave (a recent issue affecting all extensions that I have not been able to fix) the 1PW extension simply disappeared.
When I went to the Chrome store to download another copy, the “legacy” extension is long gone (has been for a while). The new 1PW extension requires a “membership” i.e. subscription.
So I started using Safari again because when I updated to v. 7.9.4 from 7.9.2 1Password works as expected: a keyboard shortcut autofills my login credentials and uploads them to the website with a single button click.
I’ve been using Brave because of its privacy features and access to my long-time favorite anti-tracking and ad-blocking extensions. But it now looks like I will be using a less secure browser and finally forced to choosing a new password manager as well.
Like some other people here I am getting older and my IT skills seem to be diminishing to the point that I require something easier than what Josh has done. I appreciate the various suggestions in this thread very much.
3 Likes
Thanks. That is what I thought it was. So an icon for 1Password appears in my browser along with other extension icons. There is also a iPassword icon in the Finder menu bar at the top of the screen which seems redundant. When I need that function I usually go to the menu bar or open the app directly. So while KeePassXC doesn’t have the browser extension, does it provide access via the finder menu bar or must the application be opened?
1 Like