I have been a 1PW user since 2007. I love the product, but I have one complaint about them. Their customer service is poor. My experience has been that they take a long time to respond, and they talk to me like I’m a) a child using a computer for the first time or b) someone who has worked in tech since the early days of computing. I’m neither. That’s just my experience.
My question for this group concerns security when I’m not on my home wifi. If I’m in a coffee shop using their wifi, someone can steal my info if I log on to my bank with my username and password. (At least, I think that’s true.) Is it any safer to log on to those secure sites using 1PW, or am I taking the same risk?
Further, if I need to log on to some site where I don’t want my information compromised, is there a way to do it safely? I use 2FA on most of my accounts, and I add it to older ones when I log in and see it’s not set up.
It’s true that someone with access to that coffee shop’s router could theoretically capture the traffic between you and your bank. However, if you’re using a secure connection (i.e., URL starts with “https”), then all they would have is an encrypted string of data. For practical purposes, this is sufficiently secure. Adding 2FA would certainly add more security, but that’s usually a defense against someone knowing/guessing your password, not against a line tap.
If the bank is using TLS (e.g., https), it is almost surely not true. The conversation that is used for authentication is encrypted, and TLS certificate check will prevent you from trying to log in to a man-in-the-middle who is trying to proxy the https connection. (In other words, the coffee shop running a server pretending to be the bank, capture your user name and password while logging in to your actual account separately.)
I believe that almost all, if not all, reputable banks will not accept plain http, non-TLS traffic.
It is no riskier. The traffic going to the bank is pseudorandom noise to anyone capturing the traffic. Perhaps it’s safer if you have malware on your machine that is capturing keystrokes, but in that case they already see your password to your 1P account, so you’re already in trouble.
1Password, like all password managers, does not affect your actual network traffic at all. It protects your passwords, not your network connections. Any risks of attacks based on insecure networks are unchanged by using a password manager versus manually managing your passwords.
What a password manager like 1Password does is help make your passwords themselves more secure by eliminating the need for you to remember them. The actual use of the password over a network connection is the same regardless of how you store the password or the method used to enter it into a web site (1P autofill, paste into field, manually type).
As others have pointed out, what protects your network traffic is https/TLS. There are some sophisticated attacks a really determined hacker can use to try to capture session cookies, but unless you’re a high-value target, it’s unlikely that you will be hit by such. For normal use, TLS is generally sufficient.
If you’re concerned about the security of a wifi network, the strongest easy way to avoid that risk is to use a cellular connection (directly if using a device that can do so, or via private hotspot if not). A cellular data connection is not subject to the same vulnerabilities as a wifi network and requires a magnitude or two of greater effort to break into. The ad-hoc wifi connection created by a private hotspot has the same risks as any other wifi network, but if it’s hidden and password-protected, the chance of it being targeted during use is near enough to zero (again, unless you’re a high-value target). A VPN can also add protection, by adding an additional layer of encryption over that already provided by the network and the https connection.
Frankly, you’re at much greater risk of device theft and over-the-shoulder password theft than wifi hacking these days. And a password manager like 1Password does help with those, because you won’t be seen typing the password, and the password vault’s own password helps keep the passwords secure if the device is stolen. Combined with TouchID/FaceID, it’s about as secure as most people will ever need.
Assuming you can trust your cellular provider. Didn’t the big US providers allow law enforcement agencies to tap into their data centres some years ago? And harvest data to sell to advertisers? A random coffee shop Wi-Fi might be a lot less risky!
Honestly, that applies to just about any connection through a large corporation. Most will cooperate with law enforcement without any hesitation. If that’s something you’re worried about, use a VPN or TOR.
The point here is that from a technical standpoint, a cellular connection is less vulnerable to hacking than a wifi connection. Both are vulnerable to law enforcement intrusion.
Marquelle’s suggestion of VPN is a decent additional layer.
[EDIT: Removed comment about Firefox “Private Browsing” for clarity.]
One other silly thing I do is to have multiple profiles in Firefox. For example, you can create a 2nd profile that is for sensitive work or just for shopping. I have a profile that uses a bright red (or caution tape) theme so I visually know I am in that space. I then configure that profile’s settings (Preferences) to purge all data on Quit and a few other things.
Using separate profiles is different from simply opening a tab in Private Browsing mode (which only clears history/cookies but does not add network security). You can have custom settings and add-ons that are completely different from your main browser, allowing greater control over certain web sites.
The info below describes how to use multiple Firefox profiles. Stop reading now if you are not interested in this.
You can access Firefox profiles by entering “about:profiles” in the URL field just like any web site. Be sure to note the NAME of the current profile once this opens. If you already have more than one, look for the profile that does NOT have a button to “Set as default profile”. I say this because when creating a New profile in Firefox, it has the annoying habit of making the new profile the Default. You can easily switch this back by reloading “about:profiles” and setting Default on your original profile.
Make a bookmark at the top for “about:profiles” so you can quickly access this tool. Then you can locate your special profile and click “Launch profile in new browser”. This will open a COPY of Firefox with your special profile and keep everything separate from your main work.
The special profile can be set to auto-delete data and history when Quit by opening:
Firefox menu > Preferences > Privacy & Security > History (scroll down a bit on right)
click next to “Firefox will” and choose “Never remember history”
If you want to have history retained during each session (so you can jump around or search history) but still purge everything on Quit, select “Use custom settings for history” for #2 and check the box next to “Clear history when Firefox closes”. Then click the “Settings…” button to the right and check all boxes there.
Be sure to disable Firefox auto-update in any additional profiles (Firefox > Preferences > General > (scroll down to) Firefox Updates > select “Check for updates but let you choose to install them”). When an update appears, dismiss any messages in your secondary profiles and Quit them before updating with your main Firefox.
Could you elaborate on the reason for this recommendation?
The Firefox app’s installation is independent of any profile. It’s shared by all profiles and all users on your Mac. If anyone updates the app, the other profiles will upgrade their settings the next time they run.
If you’re concerned that this automatic upgrade might break something, keep in mind that it is going to be the same process that upgrades the profile you were using when you initiated the upgrade.
No problem, David. I know it sounds counter-intuitive.
If you have multiple Firefox profiles running in tandem and more than one start the auto-update process, you can run into conflicts as they all attempt to download and overwrite the main package. Crude analogy, but it is like 2+ people trying to write the same thing on the same piece of paper at the same time… It doesn’t work very well.
When using multiple profiles that launch different instances of the SAME Firefox app, I have found it helpful to keep all profiles set to check but not update. This enables you to see the notices, but dismiss them until you can close out all additional profiles and then run the update on only ONE profile (via Firefox > About Firefox or from the top, right button.) If you keep the “main” profile as auto-update you need to remember to close the other profiles first. It is just easier to have all profiles set the same way in some cases.
Using this method, you still see timely update alerts but can wait until you finish what you are doing. I work with one person who has taken the multiple profiles thing a bit too far: They run at least eight at any one time. Imagine eight identical update processes all fighting to patch the same app.
I didn’t realize you could run two profiles at once from a single login.
I would like to think that the Mozilla people have thought about this and have implemented file locking necessary to prevent multiple instances from stepping on each other, but there may be bugs.
FWIW, I never enable auto-updates anyway. I want to know about updates before they are installed. Sometimes I want to defer them to a later date/time.
It is always good to hear positive support stories like that, typ993.
The rest of this post is entirely about Firefox profiles…
You are correct, David. The Firefox/Mozilla team does employ a “lockfile” when a profile is active. This protects things somewhat and prevents you from opening that same profile twice. However, the lockfile can sometimes cause problems if it is left behind after Firefox closes (ie. crashes under specific conditions). There is a process to correct this issue here:
Be aware that if you are using a computer provided by a large institution they may employ profile locks to prevent tampering via the “policies.json” file. Unfortunately this can also prevent updates as well. You can often edit this file if needed.
I have not done extensive testing on Firefox updates while running multiple profiles, but I would strongly suggest it is best to avoid it altogether. There is always the possibility of corrupting the main Firefox app if something does not finish at just the right moment, but I have not personally seen this. It would be easy to re-download the current Firefox and drag-replace it over the old one, but potential damage to your profiles is the concern. Yes, it can happen, although rare. (Side note: Be sure your backups do not exclude your ~/Library folder where all your settings and app data are stored.)
If your instances of Firefox do get into an “update battle” you will see “Firefox is being updated by another instance” (link to reddit discussion). Usually it is best to Quit all running Firefox instances and then re-launch one to start the update process again. At worst you just restart the computer (or logout and back in on that user). This clears most Firefox profile issues unless there is a “lockfile” left behind.
If you use a firewall app like Little Snitch or Lulu, the additional Firefox instances show up as “firefox-bin” so you will need to add that to your whitelist.
Years ago, Firefox had a standalone Profile Manager, but it was replaced by the built-in “about:profiles” tool. The one feature I miss from the standalone app was the ability to assign different versions of Firefox to each profile. This permitted you to have a profile that only used Firefox ESR or an older version for testing specific things. There are other ways to do this but not as easy.
Due to the customization that Firefox profiles offer, and Mozilla’s focus on personal privacy and security, I mostly use and encourage others to use Firefox. Google Chrome, Safari, Edge, etc. have their unique features and may be faster, but most do not afford the same level of control nor prioritize user privacy and security to the same degree.
It is possible to allow 1PW and any other extension to work in Private Browsing windows. But really, Private Browsing adds no security whatsoever to your wi-fi connection, all it does is leave no history and no cookies on your computer.
Maybe I’m not understanding correctly, but that doesn’t sound right. When I open a Private Browsing window in Firefox, I still have access to my saved passwords and Firefox will happily autofill them. Is this a difference between Firefox autofilling and a password manager autofilling in Firefox?
Valid point, drmoss. I was conflating two things in my mind: Use of untrusted wi-fi, and use of an untrusted computer (ie. a public computer at a cafe).
Thank you for that clarification, Will. I rarely use the Firefox password manager to that extent.
Will edit those parts of my post with notation for the record.
I always use a VPN with my Macs and iOS devices, which provides protection on both compromised WiFi and “wired” public LANs. There are additional benefits as well.
The primary reason I have used a VPN for almost 20 years is to prevent my ISP from tracking and logging my online activity. Many ISPs routinely sell their customers’ data to a wide variety of companies and it certainly does not benefit us in any way.
I recommend IVPN (www.ivpndotnet) because of its strong commitment to customer privacy. It is also unique among commercial VPN companies in having a no-advertising/affiliates policy. Information on its privacy policies are readily available on the IVPN website by clicking the Our Manifesto, Privacy and Blog links. There is also an active IVPN subReddit.
