Not a 1Password user, but if I've understood correctly, having a local vault means your passwords will not be synced across multiple devices, no? 🧐
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
1Password Releases Safari Extension for iOS 15 and iPadOS 15
- Thread starter MacRumors
- Start date
- Sort by reaction score
To be fair your original post didn’t make mention of the share sheet. It’s wording implied the app didn’t work at all.
You can also sync those with a cloud service (or your own mechanism like nextcloud) - but if you (or your family members) need comfort an don't mind the bucks - go for the subscription
This should be able to tell..
How to check if a Mac app runs on Rosetta or M1
A handy guide to check if you're running the native version of an app on your M1 Mac.
thenextweb.com
I'm going to guess that for 1Password, the Kind column should have it listed as Intel, because support for it should have been dropped well before M1 came out, and if it's running under Rosetta, I wonder if it will only work on borrowed time because of whenever Apple decides to drop Rosetta in the next few MacOS releases.
BL.
Right-click in the 1Password 6 icon and select “Get Info.” Next to “Kind” it’ll tell you what type of Application it is - Intel or Universal. If it is Intel, the app will run under Rosetta. If it’s Universal it can run natively on both M1 and Intel.
They can be synced across multiple devices, but one device would need to be the master device that holds the vault. For example, my Mac has my vault on it, and I use the WLAN server feature within 1Password to sync my iPhone and iPad to the vault on my Mac. If I ever update a password on any of those devices, I make sure to open 1Password on my Mac, activate the WLAN server function, and sync.
Apparently in 1Password 8, that functionality is no longer available, meaning to do what I am doing, I have to send my passwords/data from my Mac up to 1Password's servers, then connect to those servers with 1Password 8 on both my iPhone and iPad, and sync those there from now on. That is part of the problem, while the security implications of doing such is another - and albeit HUGE - problem.
BL.
And just because they have never been hacked doesn't mean that they will NOT be hacked.
I mean, PasswordState is one of those places that has "never been hacked". Oh, wait:
Passwordstate users warned to 'reset all passwords' after attackers plant malicious update | TechCrunch
More than 29,000 organizations, including governments, use the password manager.techcrunch.com
Every single user of those services had to go around and change all of the passwords they had held in those services. That's a LOT. And personally, with having been part of an organization maintained a HIPAA-compliant database that was breached and exposed, that's a LOT of changes and disclosure that has to be done, causing that company's users to have to not only change passwords, but get fraud monitoring services due to the extent of the damage caused by that "hack".
Never say Never.. heh; Never Say Never Again. - James Bond.
Yes, this. Thanks. My Mac is basically being the server for WLAN server sync. If that is still there, then I'm okay. I'll give it a shot on my iPad and see what I get.
BL.
You do know if the passwordstate “hack” was replicated the same way against 1Password it would have impacted you and your WLAN server choice? 😀 The client software was compromised by way of a rogue software update. You would have received that same compromised update even with 1Password.com syncing turned off.
You said and I quote "You don’t lose functionality when upgrading to 7.8" let's say those who read my comment and held on updating are happy today they get to keep their share sheet.
I actually would have been protected against any hack, because I would control my vault, not it being in possession of any SaaS. I have never used 1Password.com syncing, nor would I ever intend to. Because of that, anyone malicious would have to get physical hands on my Mac or the drives I have that contain my vault. That is the difference, because 1Password 8 no longer has the WLAN Sync functionality to keep a standalone vault. I would be forced to store my vaults on 1Password's servers. If someone hacks that service and gets physical hands on my vault, I'm compromised. That goes for any SaaS. Passwords, and any PCI or PII data is not worth that risk, especially if the service isn't subject to audit.
I work at a place that hosts and stores credit card (PCI) data. Because of the standards for that industry, we must be subject to multiple security audits regarding that data. No such controls exist on these services, which includes no liability in case those services are compromised. That is a huge liability to any company, and any client of that company (and that includes the government, who are also clients of that company).
Like I said in another thread, the feature of having convenience should never be at the cost the security of your data.
BL.
The problem, however, is that 1Password is no longer selling standalone licenses for 1Password 7. You're stuck with a subscription or nothing at all.
BL.
How would you be protected against any hack if the 1Password local client on your mac storing and managing your passwords had been compromised (as was the case with the PasswordState example you handpicked)?
It doesn't matter if your vault is stored locally or in the cloud. If the client you use is hacked, the moment you decrypt your entire vault with the master password you're in trouble if your 1Password client has been compromised.
One would have to have physical contact of my Mac to get to 1Password. They would have to break into my house or wherever I am and physically take my Mac. That is completely different than a service being available 24/7 and susceptible to hacking any any and all times of the day. Not only would the attack vector be different, but the methods of attacking would be completely different.
See the above in regards to the client. However, the bigger issue would be the server or the service. The clients have nothing to do with it at that point. In fact, the clients wouldn't matter at all if the server/Service is compromised. If the server/service is compromised, there goes all of your passwords, regardless of what client you use.
BL.
Nope. If your 1Password client is compromised, your passwords will be sent to a rogue server in the cloud without you even knowing it. Hackers won't be respecting your WLAN only client setting in their modified version.
The client IS WHAT WAS HACKED in the PasswordState explain you provided. They delivered a compromised software update to PasswordState servers, and that software update was then delivered to end users via the software update mechanism in PasswordState.
You still don't get it. I am NOT sending anything into any cloud service. My vault is My Mac. The only things that connect to it are my iPhone and iPad, as the Mac is running the WLAN server feature from 1Password. Again, none of my passwords or my vault are stored in any cloud service; rogue, trusted, or otherwise.Nope. If your 1Password client is compromised, your passwords will be sent to a rogue server in the cloud without you even knowing it. Hackers won't be respecting your WLAN only client setting in their modified version.
Again, you miss the point. The client is still connecting to an external server or outside service. I am doing neither of the sort. My vaults NEVER LEAVE MY MAC.
BL.
It’s interesting you mention the standards of your industry for storing credit card data and being subject to audits. They don’t seem to do much, there are innumerable occasions when credit card data has been stolen. 🤷♂️
You are missing the point. Your client will be connecting to a remote server if it is compromised in the way the PasswordState "hack" occurred. It will be sending your data to a remote server, or servers plural. That's the entire point of delivering a compromised client payload. The hackers modify the client to take control of your data. They don't care whether your vault is cloned in the cloud, or stored only on your Mac, once you've decrypted your data with the master password they can control that data with a hacked client.
Keeping the data local on your Mac is only good until a) your Mac is hacked or exploited in some way, or b) the client you use to interact with that data is compromised in some way.
You cited a terrible example to demonstrate your WLAN cause. That's the point. I'll help you out some more: run a little Google search on "Lastpass hacked". There's a slightly better example for you to use.
That would be the problem with the people holding the data. The card processing companies are subject to audits annually if not more frequently, and have not had a problem. The company I worked for handles fraud monitoring for every major bank in the country. In the 12 years I have been there, there has not been a single breach. And this is for a company that also provisions credit card terminals for merchants.
If data has been stolen, that would be at the merchant's end, not the processor. For example, TMobile would be the merchant, while TSYS, FISGlobal, or similar would be the processor.
BL.
You still do not get it. My client is not connecting to a remote server. My Client and My server are MY MAC. They are local. The client is ON THE SERVER. No data for that leaves My Mac. I open 1Password, open the vault on my Mac, add my entries, save the data on my Mac, and close the program on my Mac.
There is no remote server involved. This is similar to opening Microsoft Word on your Mac or PC, creating a document, saving it to your local disk on your Mac or PC, and you're done. Tell me: what remote server would you be connecting to for that?
The answer: there is no remote server.
The only clients that would be connecting to my Mac would be my iPhone and my iPad, only for the duration of WLAN server being turned on. Once that sync is done, WLAN server is turned off, and I am done. For that, any malicious client would have to be on my physical network at the least, or directly connected to my Mac for that sync to be done. If that isn't done, there is no access to my vault. And that is all barring any controls I have on my network (read: firewalls) to deny all access to my network, and allow only certain services into and out of my network.
Hence what I said before: they would have to have physical hands on my mac to exploit my Mac to get to my vault. If they don't have that, they aren't getting to it. But I would have bigger issues if they got physical hands on
No, it is a good example as well. The issue here is that the service had a problem that caused their users to have to update their passwords. Any service that has that issue is a problem. I would rather have control over my passwords, PCI, and PII data entered into my vaults than hand over that control to a service that could be compromised.
BL.
The hacked 1Password client is modified in such a way that it connects to a remote server controlled by the hackers.
It is terrifying that you do not understand this fundamental point while giving out advice to others.
I think you're missing the point of what @dumastudetto is saying:
You update 1Password 7 to the latest version. The version you update to has been compromised either enroute, or 1P's servers that host the update have been compromised and are pushing out a hacked version of the client. Once you've installed the update, regardless of your settings, a backdoor has been installed and the minute you unlock your vault, all the items inside are silently uploaded to a 3rd party server.
This type of security breach wouldn't require physical access to your computer, as you would be the one installing the compromised update.
You still seem to neglect the fact that someone would have to have physical access to my Mac to be able to do anything, client, vault, or otherwise.
You are still neglecting the fact of the set of controls protecting my hardware, which would be in my possession at all times, for anyone to do anything to it.
It is terrifying that you are not understanding this fundamental point while trying to contradict facts justifying my position, while trying to repeat the same thing over and over again to expect a different result. But I digress; I'm not going to take this to a personal level.
BL.
This assumes that I am updating my client. Right now, due to how old my Mac is and how far it can be supported, I can't, nor will be able to update. I'm stuck on 1Password 6 because of the functionality needed. That has been mentioned and documented a number of times.
BL.