1Password migrants thread

[maflynn]

As a FOSS Bitwarden user I hope regorous testing is done to the software before uploading it as the new version.

I think that goes for any application, particularly that is security focused. Just because its open source does not make it inherently safer then commercial/closed source.
Bitwarden : Security Vulnerabilities, CVEs,

While I agree that many eyes can and does help, but realistically the amount of people checking out the code, looking for vulnerabilities or malicious code on github repositories is probably smaller then development teams working on commercial software. I have no idea, just an opinion

 

[MacBH928]

I think that goes for any application, particularly that is security focused. Just because its open source does not make it inherently safer then commercial/closed source.
Bitwarden : Security Vulnerabilities, CVEs,

I agree. Foss is more on the privacy side of things, not so much security.

While I agree that many eyes can and does help, but realistically the amount of people checking out the code, looking for vulnerabilities or malicious code on github repositories is probably smaller then development teams working on commercial software. I have no idea, just an opinion

While what you say is plausable, there seems a group of people hunting the internet for 0 day vulnerabilities and working hard at it. I assume there are other "white hats" who do that. Professors, journalists, computer students, government department (that use the software), corporate employees(that use the software), researchers for their PhD, security companies?!

 

[mailbuoy]

In the "is open-source better" debate, here is a report worth reading.

"Andres Freund, a Microsoft developer, found a malicious backdoor in popular open-source software last week." (Linux)

https://www.morningbrew.com/daily/s...utm_medium=newsletter&utm_source=morning_brew

"The (apparent) culprit: Signs point to a user with the pseudonym Jia Tan. Open-source software is primarily maintained by volunteer developers, but it takes a lot of work to become the person who hits the “publish” button. Tan had spent three years working alongside the code’s gatekeepers and gaining their trust."

 

[eltoslightfoot]

It's a conundrum for sure.

I might switch back to Enpass. It's only $24 per year and it can do cloudless syncing.

 

[MisterSavage]

In the "is open-source better" debate, here is a report worth reading.

"Andres Freund, a Microsoft developer, found a malicious backdoor in popular open-source software last week." (Linux)

https://www.morningbrew.com/daily/s...utm_medium=newsletter&utm_source=morning_brew

"The (apparent) culprit: Signs point to a user with the pseudonym Jia Tan. Open-source software is primarily maintained by volunteer developers, but it takes a lot of work to become the person who hits the “publish” button. Tan had spent three years working alongside the code’s gatekeepers and gaining their trust."

Thank goodness he noticed it before it hit release versions.

 

[eltoslightfoot]

Thank goodness he noticed it before it hit release versions.

It really is a crazy story. So many weird things had to happen.

 

[mailbuoy]

Thank goodness he noticed it before it hit release versions.

I didn't get that from the article... but yes, thankfully it was before release versions

 

[eltoslightfoot]

It's a conundrum for sure.

I might switch back to Enpass. It's only $24 per year and it can do cloudless syncing.

Forgot I was grandfathered in. Switched to enpass with webdav syncing (I have an Unraid Server). Saved myself having cloud syncing and $10 a year.

 

[Supermallet]

I switched away from 1Password when they released 8 and used Bitwarden for a while but I’m currently back on 1Password’s latest beta because of one key feature: Passkey login via security key with NO other method of login. I don’t want to have to worry about remembering a complex master password or worry that it’s not complex enough should someone try to gain access, and the security key being the only available method of login means that there’s no workaround a bad actor can use to access and decrypt my vault.

To the best of my knowledge, no other password manager offers this feature except for Bitwarden but their implementation is extremely limited and still has to have a master password as a secondary option. Do any of the other password services offer this?

 

[MacBH928]

In the "is open-source better" debate, here is a report worth reading.

"Andres Freund, a Microsoft developer, found a malicious backdoor in popular open-source software last week." (Linux)

https://www.morningbrew.com/daily/s...utm_medium=newsletter&utm_source=morning_brew

"The (apparent) culprit: Signs point to a user with the pseudonym Jia Tan. Open-source software is primarily maintained by volunteer developers, but it takes a lot of work to become the person who hits the “publish” button. Tan had spent three years working alongside the code’s gatekeepers and gaining their trust."

Proprietary software isn't any better. Apple and others keep sending weekly "security fixes". When it comes to open source software, I trust the people behind the project. I would trust Bitwarden but not some random guy who uploaded "his password app" on GitHub.

It's a conundrum for sure.

I might switch back to Enpass. It's only $24 per year and it can do cloudless syncing.

Enpass is the answer if the developers get their acts together and release a polished version.

I switched away from 1Password when they released 8 and used Bitwarden for a while but I’m currently back on 1Password’s latest beta because of one key feature: Passkey login via security key with NO other method of login. I don’t want to have to worry about remembering a complex master password or worry that it’s not complex enough should someone try to gain access, and the security key being the only available method of login means that there’s no workaround a bad actor can use to access and decrypt my vault.

To the best of my knowledge, no other password manager offers this feature except for Bitwarden but their implementation is extremely limited and still has to have a master password as a secondary option. Do any of the other password services offer this?

I thought most services do not have the passkey feature?!
Another thing I am against passkeys is I can write my passwords some place and use them any where. I am not comfortable with the idea if I lose my device I lose access to my accounts. My device could be stolen, malfunction, or whatever else.

 

[Supermallet]

I thought most services do not have the passkey feature?!
Another thing I am against passkeys is I can write my passwords some place and use them any where. I am not comfortable with the idea if I lose my device I lose access to my accounts. My device could be stolen, malfunction, or whatever else.

Many websites and services don't use passkeys yet, I was talking about only logging into my password manager. Currently 1Password supports this in a beta from the app and online (and in iOS and Android). Bitwarden supports this only through their web interface on Chrome. Checking out some of the other options I did find that Strongbox DOES give you the option to use a password, key file, or hardware key either as the sole login option or in conjunction for multi factor authentication.

As for why use only a hardware key and not a password, hardware keys are to the best of my understanding immune to key loggers and man in the middle attacks if entering credentials online. The more I think about it though, the more I think it's best for something as sensitive as a password vault to have the multi factor authentication of password and hardware key, as much as I want to ditch my password. So I'm in the process of migrating to Strongbox.

 

[MacBH928]

Many websites and services don't use passkeys yet, I was talking about only logging into my password manager. Currently 1Password supports this in a beta from the app and online (and in iOS and Android). Bitwarden supports this only through their web interface on Chrome. Checking out some of the other options I did find that Strongbox DOES give you the option to use a password, key file, or hardware key either as the sole login option or in conjunction for multi factor authentication.

As for why use only a hardware key and not a password, hardware keys are to the best of my understanding immune to key loggers and man in the middle attacks if entering credentials online. The more I think about it though, the more I think it's best for something as sensitive as a password vault to have the multi factor authentication of password and hardware key, as much as I want to ditch my password. So I'm in the process of migrating to Strongbox.

it is indeed more secure, but I keep thinking what happens if I lose my hardware key , or the device I am trying to log in from does not have USB input (assuming the key is USB based) , or else....with a password I just have to type in a password and I remember in my head or written somewhere and I am done.

The passkey/hardware key method seems better for a work environment where if you lost your device someone from IT can issue you a new one.

 

[Mr. Heckles]

it is indeed more secure, but I keep thinking what happens if I lose my hardware key , or the device I am trying to log in from does not have USB input (assuming the key is USB based) , or else....with a password I just have to type in a password and I remember in my head or written somewhere and I am done.

The passkey/hardware key method seems better for a work environment where if you lost your device someone from IT can issue you a new one.

You get a hardware key that fits what you need. Right now all of my devices have USB-C and/or NFC, so I got a key that has both. Everyone has a key in my family (4 of us) and each others can be used for each others 1Password, Apple ID, email, and access to the account with our domain. I also have 1 key at my parents and 1 at my in-laws.

I have 6 keys in case one breaks.

 

[Supermallet]

it is indeed more secure, but I keep thinking what happens if I lose my hardware key , or the device I am trying to log in from does not have USB input (assuming the key is USB based) , or else....with a password I just have to type in a password and I remember in my head or written somewhere and I am done.

The passkey/hardware key method seems better for a work environment where if you lost your device someone from IT can issue you a new one.

You buy at least one, if not multiple backups of your key so if the original breaks you can replace it easily. If it gets lost you can use the backup to log in to the services that use it and disable the first key so you’re not at risk of someone using it to log in to your accounts.

It is undoubtedly less convenient, but far more secure. Should someone ever manage to get a copy of the actual database file AND and my master password, it would be of no use to them without the key. Meanwhile I’ve been able to log in elsewhere and change my master password so they don’t even have that anymore.

By the way, Strongbox is fantastic. I tried it many years ago and didn’t think it was worth it back then (this was when 1Password was still great), but now they are the most fully featured password manager I’ve ever seen. It covers all the basic features you’d expect of any competent password manager today, and then lets you drill so deep into customization based on your preference that you can set it up to be exactly the way you want it. They even provide a standalone app with all the network functionality code removed for people who want to run on a purely local install without any possibility of remote access. They let you choose which service you want to use to sync, or no service at all. They offer both a subscription option and lifetime purchase option. The app will store passkeys and TOTP codes and their password generator has all sorts of options so you can still generate good passwords for sites that have restrictions. You can even choose how many guesses per second a hypothetical attacker would make when trying to crack the password and this will change the readout of how long it would take to crack based on the amount of entropy in the password you’re generating. Just a mind boggling level of control.

The only downside is that with this level of customization, initial set up takes a lot longer as you run through the various setting options, and if you’re not careful you can inadvertently make your vault less secure or less functional or both by enabling certain combinations of options. The good news is the devs are sensitive to this and provide excellent documentation that is easy to understand and they’re very active and responsive on the Strongbox subreddit. In addition they’ve programmed in warnings for some combinations of features to let you know if you’ve enabled things that together make your vault significantly less secure.

I am blown away by the quality and functionality of Strongbox and as long as the devs continue to be this enthusiastic and responsive in building it out, it will be my password manager of choice from now on.

 

[Rodan52]

Enpass for me. Had it for 5 years now.

 

[Jordan Klein]

Still happily running 1Password 7 and will continue to do so until it no longer runs on macOS and iOS/iPadOS. Wifi sync is flakey but works.

 

[DCIFRTHS]

You get a hardware key that fits what you need. Right now all of my devices have USB-C and/or NFC, so I got a key that has both. Everyone has a key in my family (4 of us) and each others can be used for each others 1Password, Apple ID, email, and access to the account with our domain. I also have 1 key at my parents and 1 at my in-laws.

I have 6 keys in case one breaks.

Are you using 1Password or did you switch?

 

[Mr. Heckles]

Are you using 1Password or did you switch?

I’m using 1Password still. Every time I try something new for fun, I always got back to 1Password.

 

[MacBH928]

You buy at least one, if not multiple backups of your key so if the original breaks you can replace it easily. If it gets lost you can use the backup to log in to the services that use it and disable the first key so you’re not at risk of someone using it to log in to your accounts.

It is undoubtedly less convenient, but far more secure. Should someone ever manage to get a copy of the actual database file AND and my master password, it would be of no use to them without the key. Meanwhile I’ve been able to log in elsewhere and change my master password so they don’t even have that anymore.

I didn't know you can have multiple keys. I thought its 1-trusted key per app.
So every time I need to open a password manager on my phone i have to supply it with the hardware key, or is it one time thing per device?

By the way, Strongbox is fantastic. I tried it many years ago and didn’t think it was worth it back then (this was when 1Password was still great), but now they are the most fully featured password manager I’ve ever seen. It covers all the basic features you’d expect of any competent password manager today, and then lets you drill so deep into customization based on your preference that you can set it up to be exactly the way you want it. They even provide a standalone app with all the network functionality code removed for people who want to run on a purely local install without any possibility of remote access. They let you choose which service you want to use to sync, or no service at all. They offer both a subscription option and lifetime purchase option. The app will store passkeys and TOTP codes and their password generator has all sorts of options so you can still generate good passwords for sites that have restrictions. You can even choose how many guesses per second a hypothetical attacker would make when trying to crack the password and this will change the readout of how long it would take to crack based on the amount of entropy in the password you’re generating. Just a mind boggling level of control.

The only downside is that with this level of customization, initial set up takes a lot longer as you run through the various setting options, and if you’re not careful you can inadvertently make your vault less secure or less functional or both by enabling certain combinations of options. The good news is the devs are sensitive to this and provide excellent documentation that is easy to understand and they’re very active and responsive on the Strongbox subreddit. In addition they’ve programmed in warnings for some combinations of features to let you know if you’ve enabled things that together make your vault significantly less secure.

I am blown away by the quality and functionality of Strongbox and as long as the devs continue to be this enthusiastic and responsive in building it out, it will be my password manager of choice from now on.

Strongbox is missing one critical feature for me which is the mini-assistant. I do not understand how this is not any more popular. Only 2 password managers have this option: 1password and Enpass.

It vital for me to retrieve critical information without having the browser window on. I just can call it any time using cmd+alt+\

 

[MisterSavage]

Looks like Passkey support for Bitwarden mobile is currently in TestFlight. This was becoming a pain point for me.

Passkeys support for mobile apps

I downloaded the BW 2024 3.3 (7142) through Testflight on my iphone and I see no issues. Tested it on multiple websites and works like a charm.

community.bitwarden.com

 

[MacBH928]

Looks like Passkey support for Bitwarden mobile is currently in TestFlight. This was becoming a pain point for me.

Passkeys support for mobile apps

I downloaded the BW 2024 3.3 (7142) through Testflight on my iphone and I see no issues. Tested it on multiple websites and works like a charm.

community.bitwarden.com

could we assume with passkeys we no longer have to worry about our passwords stored in the cloud?

 

[MisterSavage]

could we assume with passkeys we no longer have to worry about our passwords stored in the cloud?

Not for my use case. I want to use them with my phone but I also don't want to lose access to my accounts if I lose access to my phone.

 

[toasted ICT]

Passkey login via security key with NO other method of login

how does that work? the passkey is on your phone? you loose the phone or its taken from you ... what then?
what do you do when you want access from your mac instead of the phone?
Not being critical ... just interested how it works

 

[Mr. Heckles]

how does that work? the passkey is on your phone? you loose the phone or its taken from you ... what then?
what do you do when you want access from your mac instead of the phone?
Not being critical ... just interested how it works

If they are using iOS, the passkey will be tied to their Apple ID. Once the get a new device, they will be able to log in from the new device as long as they are signed into the same Apple ID.

 

[Mr. Heckles]

Proprietary software isn't any better. Apple and others keep sending weekly "security fixes". When it comes to open source software, I trust the people behind the project. I would trust Bitwarden but not some random guy who uploaded "his password app" on GitHub.

Since when does Apple send weekly security updates? I get weekly updates on my Windows and System 76 computers (one is open source, one is not).

Getting security updates is a good thing. What do you think happens when an issue if found in an open source program? An update will be coming. You think just because something is open source, you’re going to get less updates? No.

I trust documentations… info from security audits. As long as the program (open soured or not) supplies audits and it’s documented, I’m happy.

If no one looks for security issues, none will be found and there wouldn’t be updates….