More than that, since the big correlation is cloud-based infrastructures, it causes a person to seriously question keeping sensitive data like that in cloud-based infrastructures, and question if the convenience is worth the risk.
BL.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password migrants thread
- Thread starter MacBH928
- Start date
- Sort by reaction score
More than that, since the big correlation is cloud-based infrastructures, it causes a person to seriously question keeping sensitive data like that in cloud-based infrastructures, and question if the convenience is worth the risk.
BL.
I am not a programmer so I do not know if securing your software is possible or that there will always be a way to hack it. All big corporates got hacked I remember Sony once got hacked and their playstation service was down for like a month. So not sure if I can judge LastPass.
But I know one thing, if it was stored locally I think its impossible to get hacked but then again do you trust the closed software vendor?
I realised how dangerous trusting a password manager when I was typing my pin codes, expiring dates, and CC numbers in EnPass. Any spying, tracking, calling home, malfunction, mistake made by the developer means your whole financial secuirty data is out there.
maybe sticking to reliable FOSS options like Bitwarden is best choice.
As for LastPass users, there is no reason to stick with this company. Its cloud based, subscription, and always gets hacked. You might as well go with 1password, at least those do not get hacked. I think the only users they have are the ones that have no idea how many time this company got hacked.
It depends on the trust. If it is closed source, and you don't have a way to completely trust the software or its vendor, then the only thing you can do is mitigate the potential for data to be compromised. Easiest way to do that is to not allow to check if there is any connectivity from the computer out to the internet for the duration of when the vault is requested to be open and data is coming out of it. If there isn't, then you're good. If there is, then that's a problem.
FOSS helps, because you can see what code does what prior to compiling it. Plus you can add to it if there is some additional feature you have added to the code or have additional code from a 3rd party you'd like added to it (assuming that it is also FOSS and can be compiled as well).
This is where ethical hacking comes in: where one will hack the program, looking for those vulnerabilities, but instead of trying to exploit them, they are reported to the developers so they can be fixed or patched.
It makes you wonder if any major businesses are using LastPass and if they had their data compromised with this breach. If so, it would be interesting to see if any lawsuits for liability crop up.
BL.
This is problematic and inconvenient for the average user. I think you need to run something like little snitch to monitor that plus you can't do it on all devices like iphones.
pretty sure some where deep in the ToS in 3pt font they wrote we are not responsible for anyhting
An article I found on iA writer site that talks about pricing models. I find it relevant and interesting if anyone wants to read:
ia.net
Presenter Pricing (I)
We could just ask you how much you would pay for iA Presenter. You'd probably want the lowest possible price.
So, for everyone who scoffed when I suggested using a password manager that mandates storage of all customers data on the developers server on the internet is foolish....
www.bleepingcomputer.com
Lastpass: Hackers stole customer vault data in cloud storage breach
LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.
So, for everyone who scoffed when I suggested using a password manager that mandates storage of all customers data on the developers server on the internet is foolish....
Lastpass: Hackers stole customer vault data in cloud storage breach
LastPass revealed today that attackers stole customer vault data after breaching its cloud storage earlier this year using information stolen during an August 2022 incident.
I am worried as I am now dual using EnPass/Bitwarden(no local storage option) .
I am wondering if LastPass is just slacking on security on their side or breaching your vault in the cloud is just a matter of time until some cyber criminals can access them? As I lack any programming knowledge I can not answer that question. On one side, the biggest corporates have been hacked . On the other side, password online storage has been around for a long time and yet we have to see passwords leak.
In LastPass defence, although there was a breach due to encryption, nothing of value was lost.
As for me, the only thing that makes me feel safe with Bitwarden is that it is FOSS, it has huge userbase, and I am sure there is a lot of auditing and many eyes looking at that code from their own customers, to hobbyists, to security researchers from universities and everywhere else on the world.
Enpass and Bitwarden both have the option for local storage and backup.
Technically for bitwarden, its locally hosted. I may be splitting hairs but there's a difference in having an offline copy like what you could do with 1Password and hosting the vault on a server. In the past you could have 1Password on your phone with the vault data on the phone. With BitWarden, its only hosted locally and will be running withing a Docker container, so (I could be wrong) there's no real option to having a local copy on your phone.
And you should never forget, that it also depends on the Apps, the browser integrations and so on...
I bad programmed extension could reveal your data a lot more easy than getting an encrypted database.
And I think that between all the providers 1password makes the most secure impression.
Really like the vaultwarden thing, but as I said it's not all about the database itself.
I bad programmed extension could reveal your data a lot more easy than getting an encrypted database.
And I think that between all the providers 1password makes the most secure impression.
Really like the vaultwarden thing, but as I said it's not all about the database itself.
Thanks for the distinction. You are technically correct. When I made the post I was thinking of vaults not going to a cloud.
For those interested, Strongbox is on sale for $59 lifetime for Mac and iOS.
Enpass does and basically this is huge part of the reason I chose it. Its multi-platform + local storage + license + easy&pleasant to use (I dread Keypass GUI).
Bitwarden I believe can be run in a server and docker but I guess that is too dangerous for the average joe as most of us lack the knowledge to do so and just not as convenient.
I use Enpass and I am wary about their security. They are multi-platform so they keep a lot of different apps up to date, they are a bit more on the obscure side so they do not have as large of a user base (not much income), and I believe their developers team is smallish so...yeah. I am hoping it picks up in popularity and they get more funding or someone else come with a similar product that is better funded with bigger team of developers behind it.
What reason do you have to claim that 1password is most secure over others like : Dashlane, Bitwarden, Enpass, Password Boss, Keeper, Roboform...etc ?
This is a good starting point.... https://1passwordstatic.com/files/security/1password-white-paper.pdf
Haven't seen this in this way from the others.
Yes. That really is a good deal.
But for the issue with Strongbox is, that Apples iCloud Keychain does annoy the use of Strongbox. You can't disable iCloud Keychain while using Strongbox with Safari and so on...
You cannot save passwords from Safari into Strongbox (every entry has to be manually made).
The browser extensions for Firefox, Chrome and so on are in an early beta. I wouldn't trust them. And also... no chance to save passwords from those extensions.
The risk of phishing is getting really high, when using Strongbox because of this points.
And don't get me wrong - I like Strongbox and it's development - but for me one of the biggest points within a password manager is 'also' it's phishing protection capabilities!
I will not be able to decipher that 100 page book that probably needs someone with masters degree in cyber security to understand but I will take your word for it.
Part of the reason I do not go for small team/obscure-ish password managers but Enpass is nearly my only option out there for local storage+Wifi sync+license. I hope their team is up to the task. If a leak happens I am done🍳
A leak like that wouldn't happen, because no data is being stored anywhere else except for your local devices. Additionally, for any leak to possibly happen, someone would have to be physically on your home network or network where you have a device connected to, and intercept the transmission of your password to a given site. And even with that, that wouldn't be the fault of Enpass, as it would be the fault of the browser during the transmission of the data. There is no network activity used between the opening of your local vault on your local device and the filling of password/sensitive data to the browser.
As for your local network, a compromise would occur if a malicious user would be able to intercept the data in your vault during the time that you are syncing between vaults, as that would happen over your network. But again, if you've had something like that happens, then you have bigger issues, as your entire network has been compromised.
BL.
I see that Minimalist is now subscription-only ($29.99 per year). Whilst it is slightly cheaper than a 1Password subscription, I still find it difficult to get my head around having to subscribe to get access to my own password/etc data that I store locally. So that's Minimalist struck off my list of alternatives when/if 1PW eventually stops working.
The developer attempts to explain it in a response to a one star Apple Store review (https://apps.apple.com/us/app/minimalist-password-manager/id1523397704):
I'm not sure I agree with his reasoning. Isn't he a one-man band? How much does it cost, really?
The developer attempts to explain it in a response to a one star Apple Store review (https://apps.apple.com/us/app/minimalist-password-manager/id1523397704):
I'm not sure I agree with his reasoning. Isn't he a one-man band? How much does it cost, really?
I know these guys are lying because there are projects out there that are surviving for free or on donations. PiHole, Transmision (torrent), Apollo Reddit, and Garuda Linux. All these guys surviving on donations not even 1 time purchases.
The only way i see these apps looking for sustainability in app development is when the user base is small and this user base really like this app and want it to continue. If we assume an app that has 3K users willing to subscribe for $3 , then developer makes $9K monthly and keep working on it just for this small group.
What I found interesting was:
Nothing “crackable” is stored Often a server will store the password hash. If captured, this can be used in password cracking attempts. Our two- secret key derivation mixes your locally held Secret Key with your account password so that data we store cannot be used in cracking attempts
Well, I read that LP logs the last IP address you used for a particular password, and that info is not encrypted. URLs related to a password are not encrypted.
Hackers LOVE to know where you last used a password.
Hackers LOVE to know what websites you visit even if they don't know the password to it. So much easier to phish, scam, and blackmail.
That feeds more into 1PW jumping into the fray.
LastPass security fail: 'Passwords could be cracked for $100'
The LastPass security breach controversy continues. After an independent security analyst described statements made by LastPass as “half-truths and outright...
9to5mac.com
The more that I'm seeing how asinine this incident is, the more I'm looking forward to Apple's implementation of Passkeys, and looking to see if Enpass will implement a version of it similar to what 1PW is doing.
BL.
This is an interesting read:
The LastPass disclosure of leaked password vaults is being torn apart by security experts / The Verge
LastPass is exactly why I do not trust cloud server or some "corporate-y" service. Reputation is necessary for me. I have no problem with 1Password attacking LastPass. Rivalry between services make them air their laundries in public making them more careful of each other and have higher responsibility. I am sure after the LP incident any password service that want to continue to exists will tread very carefully.
The fact that LP logs IP address and website is ludicrous , they have no business to do that. They should only store password+ autofill it.
I hear 1PW and others already rolled out passkeys AFAIK.
The fact that LP logs IP address and website is ludicrous , they have no business to do that. They should only store password+ autofill it.
That feeds more into 1PW jumping into the fray.
LastPass security fail: 'Passwords could be cracked for $100'
The LastPass security breach controversy continues. After an independent security analyst described statements made by LastPass as “half-truths and outright...
The more that I'm seeing how asinine this incident is, the more I'm looking forward to Apple's implementation of Passkeys, and looking to see if Enpass will implement a version of it similar to what 1PW is doing.
BL.
I hear 1PW and others already rolled out passkeys AFAIK.