Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

1Password migrants thread

VineRider said:
You can almost forgive a company for being hacked once. The issue with LastPass, is that it keeps happening. That definitely does not inspire confidence in their ability to secure their infrastructure.
Click to expand...

More than that, since the big correlation is cloud-based infrastructures, it causes a person to seriously question keeping sensitive data like that in cloud-based infrastructures, and question if the convenience is worth the risk.

BL.
 
  • Like
Reactions: Jordan Klein
maflynn said:
AND in a surprise to almost no one.
LastPass reveals another security breach

Notice of Recent Security Incident

Here's the thing. We use password managers for security reasons, i.e., use complex passwords and avoid re-using the same password. It is beyond me, that people still want to use LastPass given their inability to protect themselves - their track record is beyond abhorrent.
Click to expand...

bradl said:
More than that, since the big correlation is cloud-based infrastructures, it causes a person to seriously question keeping sensitive data like that in cloud-based infrastructures, and question if the convenience is worth the risk.

BL.
Click to expand...

I am not a programmer so I do not know if securing your software is possible or that there will always be a way to hack it. All big corporates got hacked I remember Sony once got hacked and their playstation service was down for like a month. So not sure if I can judge LastPass.

But I know one thing, if it was stored locally I think its impossible to get hacked but then again do you trust the closed software vendor?

I realised how dangerous trusting a password manager when I was typing my pin codes, expiring dates, and CC numbers in EnPass. Any spying, tracking, calling home, malfunction, mistake made by the developer means your whole financial secuirty data is out there.

maybe sticking to reliable FOSS options like Bitwarden is best choice.

As for LastPass users, there is no reason to stick with this company. Its cloud based, subscription, and always gets hacked. You might as well go with 1password, at least those do not get hacked. I think the only users they have are the ones that have no idea how many time this company got hacked.
 
MacBH928 said:
I am not a programmer so I do not know if securing your software is possible or that there will always be a way to hack it. All big corporates got hacked I remember Sony once got hacked and their playstation service was down for like a month. So not sure if I can judge LastPass.

But I know one thing, if it was stored locally I think its impossible to get hacked but then again do you trust the closed software vendor?
Click to expand...

It depends on the trust. If it is closed source, and you don't have a way to completely trust the software or its vendor, then the only thing you can do is mitigate the potential for data to be compromised. Easiest way to do that is to not allow to check if there is any connectivity from the computer out to the internet for the duration of when the vault is requested to be open and data is coming out of it. If there isn't, then you're good. If there is, then that's a problem.

MacBH928 said:
I realised how dangerous trusting a password manager when I was typing my pin codes, expiring dates, and CC numbers in EnPass. Any spying, tracking, calling home, malfunction, mistake made by the developer means your whole financial secuirty data is out there.

maybe sticking to reliable FOSS options like Bitwarden is best choice.
Click to expand...

FOSS helps, because you can see what code does what prior to compiling it. Plus you can add to it if there is some additional feature you have added to the code or have additional code from a 3rd party you'd like added to it (assuming that it is also FOSS and can be compiled as well).

This is where ethical hacking comes in: where one will hack the program, looking for those vulnerabilities, but instead of trying to exploit them, they are reported to the developers so they can be fixed or patched.

MacBH928 said:
As for LastPass users, there is no reason to stick with this company. Its cloud based, subscription, and always gets hacked. You might as well go with 1password, at least those do not get hacked. I think the only users they have are the ones that have no idea how many time this company got hacked.
Click to expand...

It makes you wonder if any major businesses are using LastPass and if they had their data compromised with this breach. If so, it would be interesting to see if any lawsuits for liability crop up.

BL.
 
  • Like
Reactions: MacBH928 and Mr. Heckles
bradl said:
It depends on the trust. If it is closed source, and you don't have a way to completely trust the software or its vendor, then the only thing you can do is mitigate the potential for data to be compromised. Easiest way to do that is to not allow to check if there is any connectivity from the computer out to the internet for the duration of when the vault is requested to be open and data is coming out of it. If there isn't, then you're good. If there is, then that's a problem.
Click to expand...

This is problematic and inconvenient for the average user. I think you need to run something like little snitch to monitor that plus you can't do it on all devices like iphones.

bradl said:
It makes you wonder if any major businesses are using LastPass and if they had their data compromised with this breach. If so, it would be interesting to see if any lawsuits for liability crop up.

BL.
Click to expand...

pretty sure some where deep in the ToS in 3pt font they wrote we are not responsible for anyhting
 
So, for everyone who scoffed when I suggested using a password manager that mandates storage of all customers data on the developers server on the internet is foolish....

www.bleepingcomputer.com

Lastpass: Hackers stole customer vault data in cloud storage breach

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: MacBH928, Alwis and bsmr
toasted ICT said:
So, for everyone who scoffed when I suggested using a password manager that mandates storage of all customers data on the developers server on the internet is foolish....

www.bleepingcomputer.com

Lastpass: Hackers stole customer vault data in cloud storage breach

LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...

I am worried as I am now dual using EnPass/Bitwarden(no local storage option) .

I am wondering if LastPass is just slacking on security on their side or breaching your vault in the cloud is just a matter of time until some cyber criminals can access them? As I lack any programming knowledge I can not answer that question. On one side, the biggest corporates have been hacked . On the other side, password online storage has been around for a long time and yet we have to see passwords leak.

In LastPass defence, although there was a breach due to encryption, nothing of value was lost.

As for me, the only thing that makes me feel safe with Bitwarden is that it is FOSS, it has huge userbase, and I am sure there is a lot of auditing and many eyes looking at that code from their own customers, to hobbyists, to security researchers from universities and everywhere else on the world.
 
MacBH928 said:
I am worried as I am now dual using EnPass/Bitwarden(no local storage option) .

I am wondering if LastPass is just slacking on security on their side or breaching your vault in the cloud is just a matter of time until some cyber criminals can access them? As I lack any programming knowledge I can not answer that question. On one side, the biggest corporates have been hacked . On the other side, password online storage has been around for a long time and yet we have to see passwords leak.

In LastPass defence, although there was a breach due to encryption, nothing of value was lost.

As for me, the only thing that makes me feel safe with Bitwarden is that it is FOSS, it has huge userbase, and I am sure there is a lot of auditing and many eyes looking at that code from their own customers, to hobbyists, to security researchers from universities and everywhere else on the world.
Click to expand...
Enpass and Bitwarden both have the option for local storage and backup.
 
  • Like
Reactions: AleRod
Apple_Robert said:
Enpass and Bitwarden both have the option for local storage and backup.
Click to expand...
Technically for bitwarden, its locally hosted. I may be splitting hairs but there's a difference in having an offline copy like what you could do with 1Password and hosting the vault on a server. In the past you could have 1Password on your phone with the vault data on the phone. With BitWarden, its only hosted locally and will be running withing a Docker container, so (I could be wrong) there's no real option to having a local copy on your phone.
 
And you should never forget, that it also depends on the Apps, the browser integrations and so on...

I bad programmed extension could reveal your data a lot more easy than getting an encrypted database.

And I think that between all the providers 1password makes the most secure impression.

Really like the vaultwarden thing, but as I said it's not all about the database itself.
 
  • Like
Reactions: BigMcGuire and maflynn
maflynn said:
Technically for bitwarden, it’s locally hosted. I may be splitting hairs but there's a difference in having an offline copy like what you could do with 1Password and hosting the vault on a server. In the past you could have 1Password on your phone with the vault data on the phone. With BitWarden, it’s only hosted locally and will be running withing a Docker container, so (I could be wrong) there's no real option to having a local copy on your phone.
Click to expand...
Thanks for the distinction. You are technically correct. When I made the post I was thinking of vaults not going to a cloud.

For those interested, Strongbox is on sale for $59 lifetime for Mac and iOS.
 
  • Like
Reactions: maflynn
Apple_Robert said:
Enpass and Bitwarden both have the option for local storage and backup.
Click to expand...

Enpass does and basically this is huge part of the reason I chose it. Its multi-platform + local storage + license + easy&pleasant to use (I dread Keypass GUI).

Bitwarden I believe can be run in a server and docker but I guess that is too dangerous for the average joe as most of us lack the knowledge to do so and just not as convenient.

bsmr said:
And you should never forget, that it also depends on the Apps, the browser integrations and so on...

I bad programmed extension could reveal your data a lot more easy than getting an encrypted database.

And I think that between all the providers 1password makes the most secure impression.

Really like the vaultwarden thing, but as I said it's not all about the database itself.
Click to expand...

I use Enpass and I am wary about their security. They are multi-platform so they keep a lot of different apps up to date, they are a bit more on the obscure side so they do not have as large of a user base (not much income), and I believe their developers team is smallish so...yeah. I am hoping it picks up in popularity and they get more funding or someone else come with a similar product that is better funded with bigger team of developers behind it.

What reason do you have to claim that 1password is most secure over others like : Dashlane, Bitwarden, Enpass, Password Boss, Keeper, Roboform...etc ?
 
  • Like
Reactions: Michaelgtrusa and AleRod
Apple_Robert said:
For those interested, Strongbox is on sale for $59 lifetime for Mac and iOS.
Click to expand...
Yes. That really is a good deal.

But for the issue with Strongbox is, that Apples iCloud Keychain does annoy the use of Strongbox. You can't disable iCloud Keychain while using Strongbox with Safari and so on...
You cannot save passwords from Safari into Strongbox (every entry has to be manually made).

The browser extensions for Firefox, Chrome and so on are in an early beta. I wouldn't trust them. And also... no chance to save passwords from those extensions.

The risk of phishing is getting really high, when using Strongbox because of this points.

And don't get me wrong - I like Strongbox and it's development - but for me one of the biggest points within a password manager is 'also' it's phishing protection capabilities!
 
  • Love
Reactions: rmadsen3
bsmr said:
This is a good starting point.... https://1passwordstatic.com/files/security/1password-white-paper.pdf

Haven't seen this in this way from the others.
Click to expand...

I will not be able to decipher that 100 page book that probably needs someone with masters degree in cyber security to understand but I will take your word for it.

bsmr said:
Yes. That really is a good deal.

But for the issue with Strongbox is, that Apples iCloud Keychain does annoy the use of Strongbox. You can't disable iCloud Keychain while using Strongbox with Safari and so on...
You cannot save passwords from Safari into Strongbox (every entry has to be manually made).

The browser extensions for Firefox, Chrome and so on are in an early beta. I wouldn't trust them. And also... no chance to save passwords from those extensions.

The risk of phishing is getting really high, when using Strongbox because of this points.

And don't get me wrong - I like Strongbox and it's development - but for me one of the biggest points within a password manager is 'also' it's phishing protection capabilities!
Click to expand...

Part of the reason I do not go for small team/obscure-ish password managers but Enpass is nearly my only option out there for local storage+Wifi sync+license. I hope their team is up to the task. If a leak happens I am done🍳
 
MacBH928 said:
I will not be able to decipher that 100 page book that probably needs someone with masters degree in cyber security to understand but I will take your word for it.



Part of the reason I do not go for small team/obscure-ish password managers but Enpass is nearly my only option out there for local storage+Wifi sync+license. I hope their team is up to the task. If a leak happens I am done🍳
Click to expand...

A leak like that wouldn't happen, because no data is being stored anywhere else except for your local devices. Additionally, for any leak to possibly happen, someone would have to be physically on your home network or network where you have a device connected to, and intercept the transmission of your password to a given site. And even with that, that wouldn't be the fault of Enpass, as it would be the fault of the browser during the transmission of the data. There is no network activity used between the opening of your local vault on your local device and the filling of password/sensitive data to the browser.

As for your local network, a compromise would occur if a malicious user would be able to intercept the data in your vault during the time that you are syncing between vaults, as that would happen over your network. But again, if you've had something like that happens, then you have bigger issues, as your entire network has been compromised.

BL.
 
I see that Minimalist is now subscription-only ($29.99 per year). Whilst it is slightly cheaper than a 1Password subscription, I still find it difficult to get my head around having to subscribe to get access to my own password/etc data that I store locally. So that's Minimalist struck off my list of alternatives when/if 1PW eventually stops working.

The developer attempts to explain it in a response to a one star Apple Store review (https://apps.apple.com/us/app/minimalist-password-manager/id1523397704):

We are simply transitioning to a more sustainable business model which will allow us to maintain, improve, and support Minimalist going into the future... Unfortunately this means we can no longer offer a One-Time Purchase. It is, and always was, a completely unsustainable business model.
Click to expand...

I'm not sure I agree with his reasoning. Isn't he a one-man band? How much does it cost, really?
 
  • Love
Reactions: rmadsen3
bradl said:
A leak like that wouldn't happen, because no data is being stored anywhere else except for your local devices. Additionally, for any leak to possibly happen, someone would have to be physically on your home network or network where you have a device connected to, and intercept the transmission of your password to a given site. And even with that, that wouldn't be the fault of Enpass, as it would be the fault of the browser during the transmission of the data. There is no network activity used between the opening of your local vault on your local device and the filling of password/sensitive data to the browser.

As for your local network, a compromise would occur if a malicious user would be able to intercept the data in your vault during the time that you are syncing between vaults, as that would happen over your network. But again, if you've had something like that happens, then you have bigger issues, as your entire network has been compromised.

BL.
Click to expand...

What about the browser extension @bsmr talked about? any security threats over there?
 
Septercius said:
I see that Minimalist is now subscription-only ($29.99 per year). Whilst it is slightly cheaper than a 1Password subscription, I still find it difficult to get my head around having to subscribe to get access to my own password/etc data that I store locally. So that's Minimalist struck off my list of alternatives when/if 1PW eventually stops working.

The developer attempts to explain it in a response to a one star Apple Store review (https://apps.apple.com/us/app/minimalist-password-manager/id1523397704):



I'm not sure I agree with his reasoning. Isn't he a one-man band? How much does it cost, really?
Click to expand...

I know these guys are lying because there are projects out there that are surviving for free or on donations. PiHole, Transmision (torrent), Apollo Reddit, and Garuda Linux. All these guys surviving on donations not even 1 time purchases.

The only way i see these apps looking for sustainability in app development is when the user base is small and this user base really like this app and want it to continue. If we assume an app that has 3K users willing to subscribe for $3 , then developer makes $9K monthly and keep working on it just for this small group.
 
MacBH928 said:
I am worried as I am now dual using EnPass/Bitwarden(no local storage option) .

I am wondering if LastPass is just slacking on security on their side or breaching your vault in the cloud is just a matter of time until some cyber criminals can access them? As I lack any programming knowledge I can not answer that question. On one side, the biggest corporates have been hacked . On the other side, password online storage has been around for a long time and yet we have to see passwords leak.

In LastPass defence, although there was a breach due to encryption, nothing of value was lost.

As for me, the only thing that makes me feel safe with Bitwarden is that it is FOSS, it has huge userbase, and I am sure there is a lot of auditing and many eyes looking at that code from their own customers, to hobbyists, to security researchers from universities and everywhere else on the world.
Click to expand...

Well, I read that LP logs the last IP address you used for a particular password, and that info is not encrypted. URLs related to a password are not encrypted.

Hackers LOVE to know where you last used a password.

Hackers LOVE to know what websites you visit even if they don't know the password to it. So much easier to phish, scam, and blackmail.
 
einsteinbqat said:
Well, I read that LP logs the last IP address you used for a particular password, and that info is not encrypted. URLs related to a password are not encrypted.

Hackers LOVE to know where you last used a password.

Hackers LOVE to know what websites you visit even if they don't know the password to it. So much easier to phish, scam, and blackmail.
Click to expand...

That feeds more into 1PW jumping into the fray.

LastPass security fail: 'Passwords could be cracked for $100'

The LastPass security breach controversy continues. After an independent security analyst described statements made by LastPass as “half-truths and outright...
9to5mac.com 9to5mac.com

The more that I'm seeing how asinine this incident is, the more I'm looking forward to Apple's implementation of Passkeys, and looking to see if Enpass will implement a version of it similar to what 1PW is doing.

BL.
 
LastPass is exactly why I do not trust cloud server or some "corporate-y" service. Reputation is necessary for me. I have no problem with 1Password attacking LastPass. Rivalry between services make them air their laundries in public making them more careful of each other and have higher responsibility. I am sure after the LP incident any password service that want to continue to exists will tread very carefully.

The fact that LP logs IP address and website is ludicrous , they have no business to do that. They should only store password+ autofill it.

bradl said:
That feeds more into 1PW jumping into the fray.

LastPass security fail: 'Passwords could be cracked for $100'

The LastPass security breach controversy continues. After an independent security analyst described statements made by LastPass as “half-truths and outright...
9to5mac.com 9to5mac.com

The more that I'm seeing how asinine this incident is, the more I'm looking forward to Apple's implementation of Passkeys, and looking to see if Enpass will implement a version of it similar to what 1PW is doing.

BL.
Click to expand...

I hear 1PW and others already rolled out passkeys AFAIK.
 
  • Like
Reactions: Alwis
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back