incoming people testing their password and somehow it was cached and they get hacked and everyone got their password leaked
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password Integrates With 'Pwned Passwords' to Check if Your Passwords Have Been Leaked Online
- Thread starter MacRumors
- Start date
- Sort by reaction score
Sorry to burst thy bubble but 1password does not have a standalone version for linux. You are, again, forced to use their damn subscription via their browser extension.
Ok, your point? I have the subscription one. I’m also not forced, I don’t have to use if i don’t want too. I can install Wine and use the standalone if I really wanted too. I really like the subscription version, so I don’t have an issue with it.
Last edited:
Uh...when checking your password with an online database, doesn’t it give the online database YOUR password...?
So the passwords that are on your local system is now transmitted to an online database for checking...this is a good thing?
That is like saying, “ Let me check to see if your password is safe. We will take your password and check it against our database of passwords that are compromised (meaning passswords that others know). Now your previously unknown password if not on our list is now known and is now in our database for safe keeping...”. Now WE know your password(s).
This is a good thing? Are people nuts? That is why we have passwords....so only I know it on my system.....?
To throw my two pence in there; like many of you I was strongly opposed to the subscription model, because I switched to 1P because of LastPass’ breach of their online database.
There were two things that changed my mind:
First, the 1P team addressed my concerns even though I wrote a very heated post, and showed me a link to their security white paper (something LastPass never had).
I confess I didn’t read it, because I’m not a cryptographer and it would have gone over my head, but the fact that they don’t believe in “security by obscurity” and instead allow people to scrutinise the security earned some of my trust back.
Secondly, I was (and still am) forced to use Windows as my daily driver and work computer now. While I still have my phone where I had all the passwords stored, it was just too inconvenient to keep having to type them while looking at the phone. If I was going to buy the standalone version for windows, I would have had to reconstruct my entire DB by hand, and yeah no.
I’ve been happy with the subscription thus far, took a week out of my life to change every damn password to something unique, so I’m feeling pretty good about the whole situation
There were two things that changed my mind:
First, the 1P team addressed my concerns even though I wrote a very heated post, and showed me a link to their security white paper (something LastPass never had).
I confess I didn’t read it, because I’m not a cryptographer and it would have gone over my head, but the fact that they don’t believe in “security by obscurity” and instead allow people to scrutinise the security earned some of my trust back.
Secondly, I was (and still am) forced to use Windows as my daily driver and work computer now. While I still have my phone where I had all the passwords stored, it was just too inconvenient to keep having to type them while looking at the phone. If I was going to buy the standalone version for windows, I would have had to reconstruct my entire DB by hand, and yeah no.
I’ve been happy with the subscription thus far, took a week out of my life to change every damn password to something unique, so I’m feeling pretty good about the whole situation
And the latest versions have native iCloud sync which I consider a great improvement.
In this case, no. What is given to the database is a part of the hash of your password.
You can think of a hash like a weather forecast. The initial conditions (temperature, humidity, pressure, wind, etc.) are your password and the weather forecast, eg, five days out is the hash. While calculating the weather forecast is (nowadays) relatively straightforward, doing the reverse is much harder (ie, given todays weather what must the weather have been five days is hard to calculate because a lot of quite different initial conditions could have lead to today's weather).
But to further protect the password what is send to the database are only the first five characters of the hash. Which in the weather forecast analogy would be to give only a small part of the current weather conditions (which make it definitely impossible to recalculate what the weather conditions, aka your password, were five days ago). For the given database of potentially compromised passwords, around 500 different passwords create the same five characters of the hash. But the total number of possible passwords that would match the first five hash characters is even larger by a multiple. So, all your telling the database is that your password is one of probably several thousand different passwords, which might be in the 500 possible matches in the database or they might not.
The database then sends those about 500 passwords to AgileBits servers and AgileBits compares the full hash of those with the full hash of your password. And while AgileBits knows who these passwords belong to, the online database of passwords is getting a huge number of requests from AgileBits and is not able to know to whom the password requests belong or even which of those requests came from the same person.
You are already trusting AgileBit with your passwords by typing them into their application running on your computer. If you use any syncing (iCloud, Dropbox), you are trusting that the synced data is well encrypted. How AgileBits will implement the checking exactly is not clear yet (they haven't rolled it out yet, this is just a prove of concept so far). In theory, your local copy of 1P could send those first five characters of the hashes to AgileBit and then they would send it aggregated to the online database. With that you would give AgileBits the information (per password) that it is one of several thousand. But given that you trust AgileBits already by storing your passwords in their application, you probably can trust them as well that they don't store that information after the 'checking' was done.
(If I got anything of the above wrong, feel free to correct me.)
This app is awesome. I love using it and I am happy to pay a subscription. It means it’s updated often. The issue I have is currently is using it on iOS for passwords in safari is a bit unclear to me.
my u
my understanding is that the subscription model has your data in the cloud and its syncs from there and I don't want my vault to be in the cloud with all my passwords
my understanding is that the subscription model has your data in the cloud and its syncs from there and I don't want my vault to be in the cloud with all my passwords
So your point is that you don't like them only offering the cloud feature with the subscription plan and that those who don't want to pay a subscription are excluded from it because you don't like the cloud feature?
If it worked as you described, it would in fact be a terrible solution! However, both the security researcher who has compiled the password database and the folks at 1Password are smart and thoughtful, and built a system which doesn't expose your password.
As has been pointed out, the first few characters of a SHA-1 hash are only used for this password comparison function, which is completely insufficient to give even a hint as to what your true password is. The actual security of passwords stored in 1Password is much stronger.
Details on 1Password's encryption and security are located here: https://support.1password.com/1password-security/
And details on how this new feature to compare your passwords against a repository of hacked passwords works and protects your privacy are located here: https://blog.agilebits.com/2018/02/22/finding-pwned-passwords-with-1password/
Nothing has been forced. The online subscription model has allowed them to innovate and create new features, but users of the standalone apps have not lost anything (and in fact, continue to gain new features and functionality).
They are a software company not part of any government agency. I have never seen Agilebits make any political statements much less try and force others to believe the same.
In my opinion, they make an excellent program and I like the new feature. If anyone is too political right now, it’s you for injecting politics into a non political story. Save it for the PSRI forum.
Last edited:
I was using this app until they moved to subscription. Tried LastPass, Dashlane and finally now on Secret (part of the Setapp subscription). Pretty happy with it so far....
That’s not correct. I’m using the standalone version at home and at work. They market the subscription service, but the standalone apps are available.
I’ve been using them for years and follower them on twitter and Facebook, and not once have I ever seen a political post. I’m even on their forums, and nothing about politics.
Till they moved to subscription? They still sell and support the standalone versions.
https://forums.macrumors.com/thread...app-subscription.2034555/page-2#post-24355475
From 1Password themselves!
Check out the two posts above. 1Password have said that the standalone model is not their focus and yet they continue to sell it at premium prices.
Not a focused, BUT the are still selling it. 1Password 7 for Windows will support local vaults and syncing with Dropbox when it comes out (right now it’s in beta). Just like Apple isn’t focused on the Mac Mini, they are selling it and they even said updates are coming.
https://discussions.agilebits.com/discussion/86285/1password-7-for-windows-alpha-1-is-here/p1
“Note: While standalone vaults are now available in this alpha update, you'd still need a valid 1Password membership to open/create new standalone vaults. The ability to use standalone vaults without the membership is coming in a future alpha update.”
Last edited:
I have a standalone licence, but after AgileBits started burying the standalone version on the website (without a direct link, you couldn’t find it) and after the Windows standalone version was artificially maintained at an older major version number compared to its subscription counterpart, I stopped using 1Password. Any reversals on AB’s part now just seem disingenuous. They wanted all their loyal customers to get caught up in the subscription model along with new customers. Okay, fair enough, but it was the WAY it was done that really sent me over the edge.
For what it’s worth, I now use Enpass and highly recommend it. The desktop app is free and the phone app is a one-time purchase. The vault can be stored locally or in a cloud service. It’s basically what 1Password used to be.
Last edited:
And you don't consider this to be disingenuous? And yes, I am not going to buy the Mac mini from Apple cause I find it reprehensible that they are doing this but that is a topic for another day.
The subscription is actually good value, IMO, - all platforms, plus web. Personally, I use iOS, Mac and Windows versions, at home and work, so lots of value for money.
If I just used 1Password on Mac, I would only have the standalone version....
Last edited:
I don't understand why you think it's disingenuous. The 1Password software which can be licensed separately is quality software. It's the same software used by subscription accounts. The software is actively developed, with frequent bug fixes and occasional features added.
No features have been dropped or deactivated from the standalone software. They are not trying to make the licensed software "worse"in order to encourage subscriptions, they've simply made the subscription so good that many people are choosing to subscribe.