Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
A lot of people are talking about icloud/keychain, is it really an alternative to Bitwarden/1pass/lastpass?

How do you manage family sharing password?

Is iCloud Keychain ok with chrome?
Is it ok with website with 2 login- windows (like first page is login, second page is password).
 
I had them for years and thought the UI and inter gratin was great but when they moved over to a paid subscription forcing their long time users into a paid tier is when I left for another provider which I find is even better than LP. However didn’t LastPass say when they introduced the paid memberships that it was so they could beef up their security?
 
I use 1Password but only the version that stores my info on my local computer. They want everyone to go to their cloud based plan but I refuse to do so. I will hold out as long as possible.

One reason I continue with 1Password is it does a lot more than just store usernames and passwords. I can store Bank info, credit card info and more. Keychain only stores login credentials. If Apple ever decides to expand what Keychain allows you to store, I will make the switch. But right now it's too limited to be a complete manager for me.
 
I used 1Pass for years until it went to a subscription model and now use Bitwarden.
Hopefully the Apple setup works as good or better than both programs. (fingers crossed)

I visit the Bitwarden site to check it out and I'm presented with a pricing options button.

How does it sync between Mac and Windows?
 
There's a Windows extension for Chrome/Edge. And it supports 2FA codes as well. You just need the Microsoft Store version of iCloud.
And Linux and Android? Sharing passwords with family members? iCloud is useless with this.
Because some of us have to work across platforms. If one were to only stay within the Apple ecosystem, sure you can use the built-in password manager.
Exactly. I play around with Linux and android also, password managers make this very easy.
 
I use Enpass for my service because you use your own cloud and no syncing of any data with the company.
 
I visit the Bitwarden site to check it out and I'm presented with a pricing options button.

There is a free tier with all most important features for personal use.

How does it sync between Mac and Windows?

Through a cloud service which hosts your "vault" with your encrypted password on their server. You can host your own service on your own server if you so wish if you want or need your own independent solution.
 
I use 1password 6, works well, not stored on canada's servers, stored on my machines, works with 3 old G4's, G5, Macpro, windows. no subscription model. I wish someone made a password storage that based the data in Switzerland.
 
"I use XYZ service!" - yeah, like XYZ cannot be hacked?

Fixing security by putting all egs in one basket and trusting some 3rd party to take care of those. Yeah, right. Sounds so good plan!
 
  • Disagree
Reactions: Mr. Heckles
I'm a long-time user of 1Password. I love the service. I have family sharing with my wife and it makes everything a breeze. She is not technical at all, but having a shared vault and the ease of use from 1Password has made her using complex randomly generated 50-character passwords, a different one for each service.
I could have written this post myself. I have my own vault, my wife has hers and we have a bunch of things shared. We pay $60 a year for logging into things to be a completely solved problem. We've even got scans of our drivers licenses and a few other docs in there. The UI is easy to use and I've yet to hear of a security breach with them. I get the aversion to subscriptions but this is something I use every day and it works securely and well. I'm happy to pay the price.
 
"I use XYZ service!" - yeah, like XYZ cannot be hacked?

Fixing security by putting all egs in one basket and trusting some 3rd party to take care of those. Yeah, right. Sounds so good plan!

The idea is that said basket is far more secure than the alternatives.

Said that, services like Bitwarden offer instructions to host your own service instance.
 
  • Like
Reactions: Flood4
This is why I never use these 3rd-party services for password storage. It's literally giving the keys to the kingdom away to someone for safekeeping. The aftermath of this hack is profound. Even an email account compromised could result in tremendous financial losses. But, bank account names and numbers stolen in such a hack is tremendously disruptive to one's life even if the bank eventually agrees to reimburse for the hacked account, which I'm not exactly sure they are going to do because the hack occurred outside of their systems.

A hack like this should put this company out of business. I don't know who would continue entrusting them with passwords after this.
 
I'm a happy 1Password user. Sure, it's a subscription but:

- the subscription is much less than the cost of my time setting up, hosting and maintaining my own password manager setup

- YMMV but the 1Password staff - full-time, including security professionals etc - will be able to do this much better than my efforts (even if I had the time) - it's much more likely that I'll seriously mess up rather than them

- I use 1Password everyday so the small monthly cost is worthwhile to me

- it's cross-platform

- I don't mind the Electron Mac app - it does its job and gets out of my way when not needed

- if it goes wrong or there's a bug which affects me, there's someone at 1Password I can contact and get meaningful responses - compare that to trying to get anything from Apple for bugs in macOS!
 
The aftermath of this hack is profound.
Except it's not. From the summary "Our customers' passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture." It's a something you have (the key) and something you know (your master password) system. Short of breaking the encryption itself (which would indeed be profound) the data are safe.
 
  • Like
Reactions: rukind2
It’s running in a docker container on my NAS so all my devices sync with it perfectly when they’re connected to my home network and the data volume is backed up nightly to both a separate NAS and to an encrypted cloud service. There is no external access to my home network.

Hopefully I’ve got all bases covered. It requires some hardware and some technical know-how to set up but it is a quite a neat solution. It could probably be run just fine on a cheap raspberry pi too.
Just a minor detail... If your home network is connected to the Internet one way or another, there may be external access to your network despite any firewalls. Only a completely isolated network is safe, as long as you do not use wireless access and can take care of the physical security of the network. Most home networks offer some Internet connectivity, that is usually their main purpose.

I am not completely sure that a Docker running on a NAS would be any safer than LastPass. For example, if there is a nasty zero-day vulnerability in your NAS, someone may be in there as a root even now. Usually, the big security companies are better equipped to detect intrusion than private home networks.

It might well be that you are a cybersecurity professional with enough spare time to take care of good security, in which case everything above is obvious, and you have taken care of everything. I am not by any means a security professional but I have been responsible for developing some cloud services with some rather critical infrastructure connected to the service. That has taught me enough to treat my home network and all devices in it as unsafe because I have a vague idea of what it would take to harden the network security.

(And, yes, the security model of bitwarden is good. Similarly to LastPass, compromising the server does not expose the passwords. A compromised end device would of course expose everything in the worst case, but that cannot be avoided with password authentication.)
 
  • Like
Reactions: Flood4
For those people saying they won't trust any company with their passwords, how do you manage your passwords? Not being snarky, I am curious. Do you have them written down on a notepad? Do you use the same password everywhere?
 
  • Like
Reactions: Flood4
For those people saying they won't trust any company with their passwords, how do you manage your passwords? Not being snarky, I am curious. Do you have them written down on a notepad? Do you use the same password everywhere?

The issue isn't trusting a company with passwords, but is instead trusting that your passwords are safe/secure in the cloud. As we've seen multiple times with LastPass and Dashlane, putting one's passwords in the cloud for the sake of convenience is a major risk in itself, because you are not in control of if that service you are putting your trust in can be trusted to keep such sensitive data like your passwords and other PII data secure.

This is where something like the standalone versions of 1Password, Enpass, and the like are better than any cloud SaaS that hosts passwords. By keeping it standalone, your passwords don't leave your possession. You could keep them stored on your own device and sync them between your devices, and be done.

Up until I upgraded to my M1 Pro MBP, I used 1Password 6.x on my MBA, and kept them in sync between that Mac, my Ipad, and my iPhone. As 1Password went to a SaaS only, and only using subscriptions (read: dropped the standalone versions), plus leaving no upgrade path to 1Password 7 (which is a universal binary, not requiring Intel Support), I migrated over to Enpass. I keep my Passwords on my Mac, sync my vault between my Mac, iPad, iPhone, and PC, plus back up my vault to my NAS. That way nothing touches the cloud or anything outside of my network. This works doubly so because I keep more than just passwords in that vault: account numbers, PCI info, other PII info, the entire lot.

If others have that same type of data, and are storing that in the cloud, they are putting themselves at even further risk of identity theft because of breaches like this.

EDIT: Another issue from this is that if your data is in the cloud, should the authorities have to investigate you for anything, they don't have to get a warrant to get in possession of your vault. Since the SaaS is a 3rd party to the investigation of you, all that would be needed to get possession of your vault is a subpoena levied against that SaaS, and without your notification. Now, that doesn't mean they get access to the data in your vault, but that they can get your vault. That's a huge issue in itself, where a person would not be safe and secure in their possessions, because the vault wasn't in their possession to begin with (it is in possession of the SaaS company).

BL.
 
I'm a happy 1Password user. Sure, it's a subscription but:

- the subscription is much less than the cost of my time setting up, hosting and maintaining my own password manager setup

- YMMV but the 1Password staff - full-time, including security professionals etc - will be able to do this much better than my efforts (even if I had the time) - it's much more likely that I'll seriously mess up rather than them

- I use 1Password everyday so the small monthly cost is worthwhile to me

- it's cross-platform

- I don't mind the Electron Mac app - it does its job and gets out of my way when not needed

- if it goes wrong or there's a bug which affects me, there's someone at 1Password I can contact and get meaningful responses - compare that to trying to get anything from Apple for bugs in macOS!
I agree with all of this, having been a satisfied 1pass user for 10++ years.

The only problem is the existence of Bitwarden.

It’s as nice as 1Password, but free. I switched 1-2 years ago and haven’t regretted it.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.