Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

1Password 8 for Mac Released With New Design and Features

joecomo said:
Yes - but they are providing web access to the vaults and I understand that there could be valid concerns around that.
Click to expand...
There are no valid concerns about that. You could send your vault in a birthday cake to Vladimir Putin and it would be of no use to him. So it's immaterial where it's physically stored.

Similarly, I could mail a flash drive with a Time Machine backup for my laptop. If it goes missing in the post, there are zero concerns about my data being compromised because the backup is useless without my key.
 
  • Like
Reactions: Mr. Heckles and chabig
LV426 said:
There are no valid concerns about that. You could send your vault in a birthday cake to Vladimir Putin and it would be of no use to him. So it's immaterial where it's physically stored.

Similarly, I could mail a flash drive with a Time Machine backup for my laptop. If it goes missing in the post, there are zero concerns about my data being compromised because the backup is useless without my key.
Click to expand...
Well you obviously need to step up your cryptography knowledge (certainly avoid sending stuff to Mr. Putin before).

If the vaults can be inspected on their webpage, they are decrypted at the server side (using the key/password provided by the user). A malicious organization (or one that was compromised) could abuse this to store the key or access the data.

This is different from an application running on the users machine (where the user has significantly more control - specially in those cases, where the source code is available), however on a web-server of a third-party anything can run.

I am not saying agilebits is doing anything wrong - but I understand, that people could have issues having their secrets decrypted on an external server.
 
Last edited:
  • Like
Reactions: jb-net
joecomo said:
If the vaults can be inspected on their webpage, they are decrypted at the server side (using the key/password provided by the user). A malicious organization (or one that was compromised) could abuse this to store the key or access the data.
Click to expand...
Not according to Agilebits. This isn't the early 90s web. In 2022, browsers can run code locally. Here is their platform security document, which describes how the web portal works.


It says on page 68:

1Password offers a web client which provides the same end-to-end (E2E) encryption as when using the native clients. The web client is fetched from our servers as a set of JavaScript files (compiled from TypeScript source) that is run and executed locally in the user’s browser on their own machine. Although it may appear to users of the web client that our server has the capacity to decrypt user data, all encryption occurs on the user’s machine using keys derived from their account password and Secret Key.
Click to expand...

It's an interesting read, and goes on to describe some of the threats of operating in a browser and mitigations to those threats. But certainly the decryption is all performed locally, not on the server.
 
Last edited:
  • Like
Reactions: orbital~debris, joecomo and Mr. Heckles
MuppetGate said:
And that is where I stopped reading.
Click to expand...
Sorry, I didn't know that as a paying user that I was required to participate in their beta program, when I'm using production machines all day long that I can't have betas on. If Agilebits possibly sent out an email to all users telling us that such major and asinine changes were coming in the next release, I might have then looked into it a bit more.
But as far as I know, I did not receive such an email, so no I did not take part in their beta program.

And yes, that absolutely still lets me have a say and complain when they made such a ridiculous, pretty much laughable (if only it wasn't so important) situation. So read or don't read my post, I could care less. But saying "and that is where I stopped reading" just makes you sound like a lazy commenter.
 
chabig said:
Not according to Agilebits. This isn't the early 90s web. In 2022, browsers can run code locally. Here is their platform security document, which describes how the web portal works.


It says on page 68:



It's an interesting read, and goes on to describe some of the threats of operating in a browser and mitigations to those threats. But certainly the decryption is all performed locally, not on the server.
Click to expand...

Your definitely right - and I actually feel confident enough with agilebits to use their cloud-service (also because it is acceptable for some less IT-savvy family members).

Still even given all the mitigations available, offering browser access is a risk.

A simple example is the password/key: On a local machine you could have a complex crytpographic key protected with an insufficient password. If the vault gets into the wrong hands it is still relatively safe because of the complex key.
If it is on the web all the cryptographic information must be reproducible from the password entered - if that is insufficient, there is a bigger risk of a successful cryptographic attack.
 
I bit and upgraded as I already have a subscription. I had to change my apple ID password to get that to work. I also tried Bitdefender password manager since I have the antivirus. Big mistake. It won't work with Safari, won't import and all that. If Bitdefender didn't have the great rating..

Anyway, deep sixed the password manager.

I would just go with Safari and whatever Firefox stores and ditch this , but alas I am on the fence. I don't have a lot of places I go daily, but the pain in the tuchas of having to always enter the password program with a password daily, even though I have changed the settings is still a pain.
 
  • Like
Reactions: parameter
joecomo said:
Still even given all the mitigations available, offering browser access is a risk.
Click to expand...
Yes. I agree with you here. In my case, I use the 1Password client on my machines. The web portal is useful to have as a backup if I were ever to lose a machine, or desperately needed information when none of my machines are around.
 
I finally tried out 8 and didn't last long and went back to 7

Really big change that I'm going to hold off on for a while I think

The Safari extension still wasn't showing up despite iP8, the MAS Extension and the latest Monterey.
I saw on reddit someone posted a terminal command to get it showing right. -- no thanks

I'll wait until they polish that for a few versions and try again.
 
I installed 1PW8 a few hours ago. It was easy to find the Safari extension. 1Password preferences > Browser has a direct link to it.

apps.apple.com

‎1Password for Safari

‎1Password is the world’s most loved password manager, trusted by millions of individuals and over 80,000 businesses to keep their secrets safe. == A browser-first experience == You can now use 1Password in Safari without installing the desktop app! 1Password for Safari is a completely...
apps.apple.com apps.apple.com
 
I find it odd that they've not submitted this new version to the Mac App Store yet. You'd think it would be an automatic thing. They're kind of being a bit vague as to why. Sounds like 'they're considering it' and asking users to 'share why they'd prefer to download via the App Store'. Huh?

If they don't want to use the platform and give Apple a cut, just say it, make it official. I prefer to access and manage my Mac apps, subscriptions and updates via the App Store. It's just easier, especially when you have several Macs and subscriptions are already being handled by the App Store.

I am not opposed to downloading direct, I have many apps that are not in the App Store, I just find it odd that they seem to be sitting this one out for this release (so far), and not saying why.
 
  • Like
Reactions: orbital~debris and chabig
Sowelu said:
I find it odd that they've not submitted this new version to the Mac App Store yet. You'd think it would be an automatic thing. They're kind of being a bit vague as to why. Sounds like 'they're considering it' and asking users to 'share why they'd prefer to download via the App Store'. Huh?

If they don't want to use the platform and give Apple a cut, just say it, make it official. I prefer to access and manage my Mac apps, subscriptions and updates via the App Store. It's just easier, especially when you have several Macs and subscriptions are already being handled by the App Store.

I am not opposed to downloading direct, I have many apps that are not in the App Store, I just find it odd that they seem to be sitting this one out for this release (so far), and not saying why.
Click to expand...
I couldn’t care less where I get it from. If there is a security update from them, you’re going to get it a lot quicker from them than in the App Store.
 
Sowelu said:
I just find it odd that they seem to be sitting this one out for this release (so far), and not saying why.
Click to expand...

One of my issues with AgileBits anymore is how coy they've been about various changes over the past few years.

It sometimes feels like an organization I can't 100% trust to simply be direct and authentic -- usually for business reasons.

I, like you, wish they would just level with people.
 
  • Like
Reactions: jb-net, orbital~debris, parameter and 1 other person
Mr. Heckles said:
I couldn’t care less where I get it from. If there is a security update from them, you’re going to get it a lot quicker from them than in the App Store.
Click to expand...
Personally, I don't think it right that they charge a subscription with the promise of free updates, but people who downloaded it from the Mac App Store may not get the updates they are entitled to.
 
  • Like
Reactions: Sowelu and turbineseaplane
chabig said:
I suspect they are doing something in code that is outside the limits of acceptable App Store behavior.
Click to expand...
But why would they not come out and say that? Seems like a reasonable justification that could have been added to the press release.

Seems to me like they are hoping to push some people to a direct download for data collection purposes.
 
  • Like
Reactions: parameter and turbineseaplane
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back