1Password migrants thread

[maflynn]

Both. When you a have a corporation with a team of paid professionals is different from 3 guys trying their best. something might slip by. Its not a rule, but a general guide line.

Not for nothing, I would say larger companies will often have more issues with security due to larger teams.

Do you feel the same way for small FOSS projects? Do you actively suggest people to avoid those and use commercial products in its place that were produced by large companies like MS, Google, etc?

 

[Mr. Heckles]

this is why i do not trust any small time development with security. Better stick with something like bitwarden

Wasn’t Barracuda and SolarWinds hacked a few years ago? Both big companies.

 

[maflynn]

Wasn’t Barracuda and SolarWinds hacked a few years ago? Both big companies.

Let us not forget last pass which was one of the largest password managers if not the largest

There’s also all of those zero day vulnerabilities that Microsoft deals with. Their sharepoint was just under attack with hackers using a vulnerability

 

[Apple_Robert]

1) No matter what app is used, there are going to be risks. Suggesting a larger company is more secure or less vulnerable is naive at best. Conversely, saying a small company can't provide as good a service and focus is also naive.

2) The perfect app doesn't exist so, stop looking for it.

3) Use what works best with your personal workflow regardless of what others use.

4) Although subscription software is not my preference, there is nothing inherently wrong with using an app founded on such, versus a lifetime license which is usually defined as 5 years in the EULA. A company can be bought out or go under at any time. It is a gamble either way.

5) I think some in the thread look to find fault in every app or situation mentioned while trying to find positions based on nothing more than fallacy.

6) As quickly as tech and threat levels change, what worked last month or last year may or may not be the best to use in the present. Make informed decisions based on the facts before you not hunches or what if based on nothing more than logical fallacy.

7) Open source doesn't mean the software is inherently more secure or less vulnerable.

8) Never rely on any app or company to keep your personal data safe and accessible to you at all times. That responsibility belongs to the end user. Always have a backup contingency.

9) If someone uses an app or website service you don't like or agree with, that doesn't make said person wrong. Our duty as fellow members is to point out any known problems we may know of based on facts, share that information with others, and not get into circular arguments, which serve no real purpose.

 

[MacBH928]

Avatar notwithstanding.

It's a good example, though. Firefox and Brave have far smaller headcounts than Chrome does, yet?

Security not privacy.

In case of Brave and FireFox, they have less headcount that Chrome but enough headcount to begin with. I'd trust Brave more than say Palemoon . with 40 active million users, its big enough for me. And Mozilla has employees in the hundreds.

 

[MacBH928]

Not for nothing, I would say larger companies will often have more issues with security due to larger teams.

Larger teams have dedicated professionals working on security. I'll guess more people are testing Bitwarden security than say something like Minimalist (no offense to author)

Do you feel the same way for small FOSS projects? Do you actively suggest people to avoid those and use commercial products in its place that were produced by large companies like MS, Google, etc?

when it comes to security(not privacy) yes. It kind of depends on the size of the project too. Are we talking a calculator app or cloud hosting suite like NextCloud? Another thing to put into consideration is the lifetime of the app. If one guy worked on an app for 15 years and its widely used with no one able to breach it, I guess its safe to use.

Wasn’t Barracuda and SolarWinds hacked a few years ago? Both big companies.

Let us not forget last pass which was one of the largest password managers if not the largest

There’s also all of those zero day vulnerabilities that Microsoft deals with. Their sharepoint was just under attack with hackers using a vulnerability

its not bullet proof but a safer approach. Think of it like keeping your money in the bank vs in a drawer at your home. The bank can still be robbed, but its a safer approach than your drawer.

 

[DCIFRTHS]

Have a look at this post on MacRumors by @R3van. I read the link, and understand only the concept.
It also appears this vulnerability only affects users that have the autofill extension installed, correct?

Edit: A quick google search turns up multiple links on the subject. I haven’t read the articles yet, but here’s a few:

TechRadar
Bleeping Computer
MSN

 

[gregmac19]

Have a look at this post on MacRumors by @R3van. I read the link, and understand only the concept.
It also appears this vulnerability only affects users that have the autofill extension installed, correct?

Yes, this vulnerability applies to password managers that use a browser extension to autofill.

Note that although iCloud Passwords (Apple Passwords) is listed, this does not apply when using the application with Safari. Safari uses the Apple Password AutoFill system, which is not a browser extension. However, when using a third-party browser on Mac or on Windows, a browser extension is necessary to autofill information from Apple Passwords.

 

[svenmany]

Yes, this vulnerability applies to password managers that use a browser extension to autofill.

Note that although iCloud Passwords (Apple Passwords) is listed, this does not apply when using the application with Safari. Safari uses the Apple Password AutoFill system, which is not a browser extension. However, when using a third-party browser on Mac or on Windows, a browser extension is necessary to autofill information from Apple Passwords.

I read (only once) https://marektoth.com/blog/dom-based-extension-clickjacking/. I'm at an 80% understanding and plan to read it a few more times.

The essential vulnerability being discussed is the ability for a malicious script to hide an extension's UI elements but still allow the user to interact with them while thinking they are interacting with other things. You can avoid this vulnerability by turning off those UI elements.

The 1Password extension is mostly usable without any UI elements. That's the way I had used it for years, because the 1Password icon shown within fields always annoyed me. Instead, on macOS I used the toolbar's icon to fill in credentials on a web page. On iOS, I selected the entry from the "Passwords" prompt that Safari gave me when I'd given focus to a field that relates to credentials. To turn off the risky UI elements, disable "Offer to save and fill logins and other items" in preferences. Certainly some convenience is lost, but I had never missed it.

Unfortunately, recently I'd turned the UI stuff back on for passkey support. I guess that is something I'm going to miss.

Toth writes in the conclusion of the article that the risks to credentials requires that the website be compromised in some way. The 1Password extension will only offer credentials for those that "match" the url in the browser's address bar. He mentions a few ways that can happen. Credit cards and other personal information are more exposed; even available on an attacker website.

It's a really great article and an eye opener.

 

[gregmac19]

I read (only once) https://marektoth.com/blog/dom-based-extension-clickjacking/. I'm at an 80% understanding and plan to read it a few more times.

The essential vulnerability being discussed is the ability for a malicious script to hide an extension's UI elements but still allow the user to interact with them while thinking they are interacting with other things. You can avoid this vulnerability by turning off those UI elements.

The 1Password extension is mostly usable without any UI elements. That's the way I had used it for years, because the 1Password icon shown within fields always annoyed me. Instead, on macOS I used the toolbar's icon to fill in credentials on a web page. On iOS, I selected the entry from the "Passwords" prompt that Safari gave me when I'd given focus to a field that relates to credentials. To turn off the risky UI elements, disable "Offer to save and fill logins and other items" in preferences. Certainly some convenience is lost, but I had never missed it.

Unfortunately, recently I'd turned the UI stuff back on for passkey support. I guess that is something I'm going to miss.

Toth writes in the conclusion of the article that the risks to credentials requires that the website be compromised in some way. The 1Password extension will only offer credentials for those that "match" the url in the browser's address bar. He mentions a few ways that can happen. Credit cards and other personal information are more exposed; even available on an attacker website.

It's a really great article and an eye opener.

I think this statement from the BleepingComputer article (https://www.bleepingcomputer.com/ne...gers-can-leak-logins-in-clickjacking-attacks/) is eye opening:

[Update 8/21 3:40 AM EST] - 1Password sent BleepingComputer the following comment:

"Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. Because the underlying issue lies in the way browsers render webpages, we believe there’s no comprehensive technical fix that browser extensions can deliver on their own..."

 

[Apple_Robert]

I don’t recommend people use password app extensions.

 

[gregmac19]

I don’t recommend people use password app extensions.

What percentage of people who are using the ten password managers listed in Marek Toth’s report (1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, and RoboForm) are going to want to use their password manager without the respective browser extensions installed?

 

[maflynn]

I don’t recommend people use password app extensions.

That largely defeats the purpose of password managers

 

[Apple_Robert]

What percentage of people who are using the ten password managers listed in Marek Toth’s report (1Password, Bitwarden, Dashlane, Enpass, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, and RoboForm) are going to want to use their password manager without the respective browser extensions installed?

Using a password manager extension is a real security risk. That is a fact. It is safer not to use an extension. If some people at large want to be lazy and put blind faith in a password app extension then, bad things may happen due to bad actors and or bad coding.

Others can do what they want. I was pointing out doing so is a bad idea and one that I don't engage in. It takes me several seconds longer to get information inputted but, I believe doing so is the safer thing for me to do.

 

[Apple_Robert]

That largely defeats the purpose of password managers

For me, the manager (Strongbox) stores my information and then I manually input when needed.

 

[Jay-Jacob]

I don’t recommend people use password app extensions.

Yeah I never installed password extensions for any of my password manager.

That largely defeats the purpose of password managers

No it isn’t. Passwords manager main purpose is store passwords and it does. Extension is just extra. I never installed any since it always risk. I just open it and read it and enter it manually on website.

 

[max2]

For me, the manager (Strongbox) stores my information and then I manually input when needed.

Yep. Convenience always causes more risk. I did use Strongbox but switched. Went to Password Depot.

 

[maflynn]

For me, the manager (Strongbox) stores my information and then I manually input when needed.

I’d rather not type in qjg!apr-jvd8ABN8qda or similar passwords that are generated

Edit:
Manually typing in those randomly generated passwords that I use, will be virtually impossible on my phone, or iPad as well. One of the powerful features of password managers, is that they work across platforms, like phones, tablets, and desktop computers.

 

[gregmac19]

Using a password manager extension is a real security risk. That is a fact. It is safer not to use an extension. If some people at large want to be lazy and put blind faith in a password app extension then, bad things may happen due to bad actors and or bad coding.

Others can do what they want. I was pointing out doing so is a bad idea and one that I don't engage in. It takes me several seconds longer to get information inputted but, I believe doing so is the safer thing for me to do.

I doubt most people would think your suggestion for not using password browser extensions is feasible, which is why I posed the question that I did. A better solution would be for people to switch to a password manager that doesn’t require a browser extension to work. If you stick to Safari on Apple platforms you have at least these choices: Apple Passwords, Stongbox, Minimalist, and Codebook. If you want to use other browsers, and/or work on other platforms, then I know of only one choice: Codebook.

 

[svenmany]

I'll continue to use the extension, but with the risky parts turned off. Using the clipboard is probably a less secure approach.

Regarding the approach of manually entering passwords: I am not willing to expose my passwords in a public setting in order to learn the values to support that approach. Also, it would take some patience to use this approach. I log in to websites very often. I would have to switch to the password program, search for the entry corresponding to the site, expose the credentials, and then type very complicated values into the site's fields. I would probably often mistype. I just timed myself with one site and it took 25 seconds without making a mistake. This could be easier if I used simpler passwords.

 

[svenmany]

"Clickjacking is not unique to the 1Password browser extension. It is a long-standing web attack technique that affects websites and browser extensions broadly. Because the underlying issue lies in the way browsers render webpages, we believe there’s no comprehensive technical fix that browser extensions can deliver on their own..."

I want to point out one quote in Toth's post:

Clickjacking in web applications has minimal security impact in most cases because users are not authenticated in the loaded iframe and therefore preventing any malicious actions from being executed.

I understand this point quite well from my current work. So, 1Password shouldn't try to dismiss the issue with such a comment.

I'm not really sure what is new in Toth's post. It really is just related to a presentation he made at a conference. It's a bit of a survey of issues. Some of what is discussed is rehashing old issues that are resolved. Much of the post shows various (and obvious) techniques of hiding extension web elements.

DOM-based Extension Clickjacking can be divided into several types/categories. Each manipulates DOM elements differently, but the result is always the same - the UI is invisible but clickable.

The eye-opener for me was the various clever ways of getting a user to click on the hidden elements. For example, by making the hidden web element follow the mouse pointer so that wherever the user clicks the extension gets the click. So, I've come to understand that if I'm on an unknown website, any click can have consequences.

He does present some more interesting stuff regarding cracking Passkeys when the server fails to implement "session-bound challenges". This issue will go away by itself as server developers learn how to correctly implement passkeys. Developers make mistakes all the time. In fact, recently I had to tell my client to fix something they did regarding replay issues with oauth.

At this point, I'm comfortable with my use of the browser extension with the UI elements turned off. I might even leave the passkey-related UI elements turned on (a separate switch in 1Password). I have to study this one more.

At the end of his article he says various vendors have addressed the vulnerabilities. In each case, he only seems to be saying they've managed to prevent their web elements from becoming invisible. 1Password does seem to be working on this and has something to say here:

Browser Extension Risk Clickjacking | 1Password Community

According to this report, I wondered what the position of 1Password is on this issue and when it will be...

www.1password.community

and here

DOM-based extension clickjacking | 1Password Support

Learn how to set up and use 1Password, troubleshoot problems, and contact support.

support.1password.com

 

[MacBH928]

I want to point out one quote in Toth's post:



I understand this point quite well from my current work. So, 1Password shouldn't try to dismiss the issue with such a comment.

I'm not really sure what is new in Toth's post. It really is just related to a presentation he made at a conference. It's a bit of a survey of issues. Some of what is discussed is rehashing old issues that are resolved. Much of the post shows various (and obvious) techniques of hiding extension web elements.



The eye-opener for me was the various clever ways of getting a user to click on the hidden elements. For example, by making the hidden web element follow the mouse pointer so that wherever the user clicks the extension gets the click. So, I've come to understand that if I'm on an unknown website, any click can have consequences.

He does present some more interesting stuff regarding cracking Passkeys when the server fails to implement "session-bound challenges". This issue will go away by itself as server developers learn how to correctly implement passkeys. Developers make mistakes all the time. In fact, recently I had to tell my client to fix something they did regarding replay issues with oauth.

At this point, I'm comfortable with my use of the browser extension with the UI elements turned off. I might even leave the passkey-related UI elements turned on (a separate switch in 1Password). I have to study this one more.

At the end of his article he says various vendors have addressed the vulnerabilities. In each case, he only seems to be saying they've managed to prevent their web elements from becoming invisible. 1Password does seem to be working on this and has something to say here:

Browser Extension Risk Clickjacking | 1Password Community

According to this report, I wondered what the position of 1Password is on this issue and when it will be...

www.1password.community

and here

DOM-based extension clickjacking | 1Password Support

Learn how to set up and use 1Password, troubleshoot problems, and contact support.

support.1password.com

when you say UI elements you mean the icon in the input field?

 

[svenmany]

when you say UI elements you mean the icon in the input field?
View attachment 2541124

That and the further elements that display after you click on that. The Passkey UI element are extra and not triggered by that button.

The current vulnerability is about actual HTML elements, inserted into the web page by the extension, and capable of receiving click events from the user. Clicking on the extension's button in the browser's toolbar does not count. Using that button and selecting a suggested password uses a different approach to place the credentials in the correct fields. I don't know what that approach is.

 

[MacBH928]

That and the further elements that display after you click on that. The Passkey UI element are extra and not triggered by that button.

The current vulnerability is about actual HTML elements, inserted into the web page by the extension, and capable of receiving click events from the user. Clicking on the extension's button in the browser's toolbar does not count. Using that button and selecting a suggested password uses a different approach to place the credentials in the correct fields. I don't know what that approach is.

what about autofill shortcut? like cmd+/ on 1pw?

 

[svenmany]

what about autofill shortcut? like cmd+/ on 1pw?

That shouldn't be affected by this vulnerability either.