Hopefully this causes companies like AgileBits/1Password to rethink their subscription-only model and start to offer standalone licenses again.
BL.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
LastPass Hacked for Second Time This Year
- Thread starter MacRumors
- Start date
- Sort by reaction score
Hopefully this causes companies like AgileBits/1Password to rethink their subscription-only model and start to offer standalone licenses again.
BL.
As much as I think 1Password sets the bar for password managers, in this case, you're switching from Jonathan apples to Honeycrisp apples because the worms have infested the Jonathan apples while knowing full well that worms like all apples.
In this case, you're still dealing with the same problem: storing sensitive data in the cloud and hoping that the SaaS provider holding your data will keep it secure. We've seen that LastPass isn't capable of doing that, and regardless of how many password protections that are put on one's vault, the fact that malicious users can actually get to your vault, let alone access it, is problem enough to not want to store any personal data (passwords, PII data, etc.) at any cloud-based SaaS.
This is why I stayed with 1Password 6.x as long as I could (I wish I had a valid upgrade path to a standalone version of 1Password 7, but there isn't), and as such, migrated to Enpass. At least with that, I have a standalone license that works on all devices I have it on, and leaves me in control of my vault. I have it on my Mac, and sync between it, my PC, my iPhone, and iPad, and back up my vault to my NAS. And none of that touches the internet, or any cloud service.
I'd rather be in charge of it and pay the 1-time fee, than be forced to a subscription service where I'm paying over and over again for the same service, when in 4 month's time, the standalone license pays for itself (at the cost of a SaaS provider's subscription rate).
BL.
The drama continues, as now 1Password has stepped into the argument.
9to5mac.com
At this point, it is sounding like both are trying as hard as they can to hold on to their respective bases, and there is no doubt that 1Password is financially invested in this incident, as they want to use this to draw LastPass users to them.
I'm starting to look at passkeys now, if a given site supports it. It won't eliminate the need for a password manager, but it will surely mitigate the potential vulnerabilities arising from it.
BL.
LastPass security fail: 'Passwords could be cracked for $100'
The LastPass security breach controversy continues. After an independent security analyst described statements made by LastPass as “half-truths and outright...
9to5mac.com
At this point, it is sounding like both are trying as hard as they can to hold on to their respective bases, and there is no doubt that 1Password is financially invested in this incident, as they want to use this to draw LastPass users to them.
I'm starting to look at passkeys now, if a given site supports it. It won't eliminate the need for a password manager, but it will surely mitigate the potential vulnerabilities arising from it.
BL.
It is end to end encrypted. Make sure you have a very strong Apple ID password with 2FA turned on, and you should be fine.
It is possible that iCloud Keychain could be hacked? Yes, in that any data in the cloud is susceptible to hacking and potential theft. The data is encrypted before it is sent to Apple and was fully encrypted. LastPass chose to only encrypt certain fields, leaving important fields, like the URL, unencrypted on the
Nothing about the LastPass hack changes the pros and cons of 1Password. 1Password had to weigh in because of public perception; they had to explain why the LastPass problems didn't apply to their own product. And, they want to get the customers that are leaving LastPass.
A silly analogy - just because one bank failed, I'm not going to start keeping my money under my mattress.
At the end of the day, you have to trust the software you're using. Even if you have offline vaults, if the software is compromised, then all bets are off. The theft of LastPass' source code is a major issue since hacked versions of the application are likely in the wild. In reading about LastPass' approach to security of the vaults, I was amazed at how inferior it is. I had always assumed that all password managers used more sophisticated techniques like those of 1Password.
I trust AgileBits, the company, and their product 1Password. I require offsite backup, so purely local vaults are not an option for me.
I got a lot out of reading https://infosec.exchange/@Jwilliams/109586918036144213. He is pretty clear that LastPass is crap and 1Password is great. Two quotes
and
A silly analogy - just because one bank failed, I'm not going to start keeping my money under my mattress.
At the end of the day, you have to trust the software you're using. Even if you have offline vaults, if the software is compromised, then all bets are off. The theft of LastPass' source code is a major issue since hacked versions of the application are likely in the wild. In reading about LastPass' approach to security of the vaults, I was amazed at how inferior it is. I had always assumed that all password managers used more sophisticated techniques like those of 1Password.
I trust AgileBits, the company, and their product 1Password. I require offsite backup, so purely local vaults are not an option for me.
I got a lot out of reading https://infosec.exchange/@Jwilliams/109586918036144213. He is pretty clear that LastPass is crap and 1Password is great. Two quotes
and
An article on the foibles of letting a company store your passwords:
www.nytimes.com
A Breach at LastPass Has Password Lessons for Us All (Gift Article)
The hacking of the password manager should make us reassess whether to trust companies to store our sensitive data in the cloud.
An article on the foibles of letting a company store your passwords:
A Breach at LastPass Has Password Lessons for Us All (Gift Article)
The hacking of the password manager should make us reassess whether to trust companies to store our sensitive data in the cloud.
Just read it. I really didn't like it. I found it light on content, misleading, and dangerous.
He writes:
Which means he's OK if you store your passwords on Dropbox. Yikes! He doesn't bother mentioning that if you do, those vaults had better be of the caliber and safety of (for example) 1Password vaults and not "vaults" like those used by LastPass.
I also suspect the "cloud drive" he controls himself is at risk. He seems to be OK with people rolling their own remotely accessible server to keep their passwords on. Yikes! That's a recipe for disaster unless the person doing that is extremely competent.
And, he doesn't bother mentioning the real risk of a fire or other natural disaster which could destroy your passwords and other private documents if you don't maintain some offsite backup.
He writes:
I don't agree. Theft of vaults is not even close to as bad as compromised software or poorly designed vaults.
The "lead consumer technology writer for The New York Times" does seem to know much about this topic.
Did you read it carefully? He’s not saying eliminate password managers.
He opens up a thought about using vaults that don’t rely on a centralized storage managed by the company of the password manager. He even gave an example of such a vault.
Recall that prior to version 8 of 1password, you could store your vault locally or on your own desired cloud service. That’s exactly what he’s talking about. And that’s actually exactly what I use: 1Password version 7, cloud storage but not by 1Password.com.
One of his main points is that he prefers not to have his vault stored centrally by the company that makes the password manager. He argues that chances of being hacked is higher because hackers would be more interested in hacking a company that stores everyone’s vault than hacking some random person’s cloud account.
The writer has nuance in his article. It’s not all black and white.
He opens up a thought about using vaults that don’t rely on a centralized storage managed by the company of the password manager. He even gave an example of such a vault.
Recall that prior to version 8 of 1password, you could store your vault locally or on your own desired cloud service. That’s exactly what he’s talking about. And that’s actually exactly what I use: 1Password version 7, cloud storage but not by 1Password.com.
One of his main points is that he prefers not to have his vault stored centrally by the company that makes the password manager. He argues that chances of being hacked is higher because hackers would be more interested in hacking a company that stores everyone’s vault than hacking some random person’s cloud account.
The writer has nuance in his article. It’s not all black and white.
I hope we can stay on topic rather than challenge my ability or intention to comprehend what I read.
Let me try to help you understand the thinking behind my post. You posted a link to the article with the summary:
Assuming you know the definition of "foible" and that you used the correct word, you are saying that the author of the article thinks a user is making a mistake, or making a strange decision, in letting a password manager company store their passwords. Certainly, you're suggesting that the author presents a case against storing passwords using a password manager's server. I found that strange, so I decided to read the article.
Instead of your interpretation, I saw the article as a warning about the risks of storing passwords on a password manager's server. I was hoping to find a serious article mentioning other risks and mitigating factors, but the only counter to his sounding the alarm was the sentence
Rather than challenge your interpretation of the article as exposing as foibles of people using password manager servers, I decided to critique the article directly.
I stand by my position that the author knows very little about the topic. It's probably an appealing article for people who are already against storing passwords externally. But, he revealed a startling naivety about viable alternatives to storing password and of the risks of each.
I suspect the author would consider a LastPass vault on his self-managed cloud server to be more secure than a 1Password vault on 1Password's server. That's the kind of impression an unsuspecting, less technical reader would be left with.
It's wrong to assume that Dropbox or another external site is safer just because it's not known that passwords are being stored there. Services like Dropbox are a prime target since all sorts of sensitive user data is kept there (e.g. bank statements); passwords kept there will be just part of the haul. Encrypted documents will be recognized as such and be considered high value.
At least a Dropbox breach would ultimately be announced. The author will never learn if his personal cloud server is breached.
I believe it's also unsafe to store poorly protected passwords on a home network. Home networks are sometimes infiltrated. Home networks are perilous if not segmented to keep dangerous devices and the devices of guests away from computers with sensitive data. Even those computers should be handled very carefully. Most people just don't pay attention to such things. Some people don't even bother keeping firewalls up on their home computers.
I can just imagine some user reading the article and thinking "Yikes, I'm going to take all my passwords out of 1Password and just store them in Excel on my private computer. That's the ticket!" After all, the author did mention 1Password and LastPass in the same sentence:
I wrote:
That's pretty hilarious. I meant "does NOT seem to know". I really need someone to edit my writing. So does the author of that article (sitting next to the lawyer checking his work for negligence).
Thanks for sharing your thoughts on that. I think we shall differ on the matter.
I can’t say I necessarily agree that letting 1Password store passwords on their centralized server is a bad thing, but the article obviously points out that the author isn’t unique in holding that view; some security experts at least suggest so too. The article came to my attention from a friend, a long time computer scientist (since retired) from Carnegie Mellon.
Anyhow, that’s all.
I can’t say I necessarily agree that letting 1Password store passwords on their centralized server is a bad thing, but the article obviously points out that the author isn’t unique in holding that view; some security experts at least suggest so too. The article came to my attention from a friend, a long time computer scientist (since retired) from Carnegie Mellon.
Anyhow, that’s all.
I switched from LastPass to 1Password back in March (after I read some kind of article - don't know whether it was over a previous LP breach or their business decisions/update to their fee structure). The more I read about this C.F. though, the closer I am to dropping 1Password and hosting/syncing things manually with KeyPass.
1Password is great; my personal problem with them is being forced to their cloud solution and subscription, because they then hold the data, and I’m forced into their payment model.
But because I want to be in control of my vaults and where they are located, I’m stuck on 1PW 6, as there is no upgrade path to the last standalone version of 1PW 7.
However, with the move to Silicon, and 1PW 6 being an Intel binary, my days with 1Password were numbered, so I cut my losses and migrated to Enpass. If 1Password brings back a standalone version again - especially because of a breach like what LastPass had and due to it being centralized - I’ll jump on it. But I’m not holding my breath that 1Password will do that.
BL.
I still have a non-cloud version. I just checked and it's V7.9.8 (70908000). I refused their sweet words to move and they gave-in. Can't remember how I did it.
For Mac? Then you’re in the sweet spot. 1Password 7 is still available, but you can no longer purchase the standalone license for it, as they took down the servers provisioning those licenses. They only allow you to purchase a subscription through 1PW 7 or 1PW 8 now; and if you do t, it locks your standalone vault in read-only mode until you do purchase a subscription. And worse; reverting back to a previous version still keeps your vault locked.
I found that out the hard way on my MBA; I did a full TM restore to get my full functionality back.
So with that, and Intel going going away, I was stuck, so I cut my losses and went to Enpass. Hopefully something like LastPass getting hacked will have them reconsidering re-releasing a stand alone version.
BL.
Regarding reverting to previous version: Just have an export backup of your database and import that into version 6 if you need to. I do that with an older Mac that can only run v6 (Mac App Store), all the time. Works fine.
I am still on Version 7 until I make the move to StrongBox.
I am still on Version 7 until I make the move to StrongBox.
I just wanted to mention one thing to people using offline vaults. Make sure your offsite backups are versioned. Otherwise a ransomware attack (or some other file corruption) would disable the vault on your local machine and that disabled vault would overwrite your backup.
OneDrive and Dropbox keep 30 days of versions (although I wouldn't trust them with anything but the most secure vault since they have access to your data). iCloud Drive does not keep versions at all. Also, ransomware attacks will likely lock up your entire TimeMachine drive, so that would not serve to rewind to a non-broken version of your vault.
I use Arq Backup. It encrypts the backups. One of my destinations is AWS. I set one of my buckets to support Arq Backup's immutable flag, which is designed to protect your backups against ransomware or other file corruption. Since we all have to have offsite backups, I think this approach is a pretty secure way to handle that requirement. (I have an encrypted disk image of my 1Password 1pux and csv backups. That image is backed up to that bucket.)
1Password is automatically protected against ransomware attacks since the vault, as a file, is never transferred to their servers. If your local vault gets locked up, 1Password will no longer be able to sync with their servers, so the contents on their servers is safe. But, I still feel the need to export their data and back it up myself.
OneDrive and Dropbox keep 30 days of versions (although I wouldn't trust them with anything but the most secure vault since they have access to your data). iCloud Drive does not keep versions at all. Also, ransomware attacks will likely lock up your entire TimeMachine drive, so that would not serve to rewind to a non-broken version of your vault.
I use Arq Backup. It encrypts the backups. One of my destinations is AWS. I set one of my buckets to support Arq Backup's immutable flag, which is designed to protect your backups against ransomware or other file corruption. Since we all have to have offsite backups, I think this approach is a pretty secure way to handle that requirement. (I have an encrypted disk image of my 1Password 1pux and csv backups. That image is backed up to that bucket.)
1Password is automatically protected against ransomware attacks since the vault, as a file, is never transferred to their servers. If your local vault gets locked up, 1Password will no longer be able to sync with their servers, so the contents on their servers is safe. But, I still feel the need to export their data and back it up myself.
In all honesty, if you're on the standalone version of 7, you really don't have to migrate; from what I've read especially in this thread, 1PW 7 is a universal binary, so it not only won't require Rosetta 2 to run on your Mac, but will also survive the dropping of Intel support from MacOS. And as the license is lifetime, you're totally set forever.
I'm good on this one, as Enpass does version their backups. Additionally if they weren't, or I'd even say 1Password 6 wasn't versioned, Time Machine does version, and I back up my Mac at least once a week. As I also back up my vaults to my Synology NAS, I also back up my NAS with Hyper Backup, which also does versioning, similar to how Time Machine versions backups from a Mac. So I'm doubly covered here.
BL.
I didn't doubt for a minute that you'd have the bases covered.
Mine was more of a warning for the less experienced. Backups are so important if you keep things locally; no one else is going to help you in the case of data loss. It's especially important to consider carefully how you'll do offsite backups. No password solution can assume your data is only on devices that you maintain physical access to. Password best practices must not be inconsistent with backup best practices.