I am not sure what your point is talking about a vulnerability 1 or 2 years ago has to do with present discussion. That was fixed long ago.
You still don't see my point about being able to use nonsubscription 1password even if there is no Agilebit.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Security Experts Wary as 1Password Subscriptions Push Users to Cloud-Based Vaults
- Thread starter MacRumors
- Start date
- Sort by reaction score
I am not sure what your point is talking about a vulnerability 1 or 2 years ago has to do with present discussion. That was fixed long ago.
You still don't see my point about being able to use nonsubscription 1password even if there is no Agilebit.
I'm checking out enpass (installed via the Mac App store). It's GUI is similar to 1Password and it accepted the native 1Password export file with almost 100% perfection. Secure Notes didn't transfer as "Secure Notes" and were tagged as regular "Login," but that's a simple fix of dragging them from "All Items" to "Secure Notes." So far, no real problems.
Please speak for yourself. You do not mind this or that, but there must remain options for everyone the way we paid for these apps and the ways they sucked us into using them. I expect more from the upcoming upgrades, not less.
Im not paying for additional subscription and I want my ability to sync locally, Im not putting my passwords on anyone elses server. OPTIONS MUST REMAIN.
Otherwise, give us our money back and I will switch to another app that still has the features of the original 1P.
Yes, I completely understand that your password is never given to 1Passwords servers. The vault (still encrypted) is sent to the users browser and then client side Javascript is run in your browser to decrypt the vault using your password and vault key.
My issue the entire time from the first moment this discussion started is that hackers can simply take the vaults (while encrypted) and begin to brute force them. Just like they do with all other stolen/leaked databases that have your passwords hashed by bcrypt.
The difference is instead of getting a single piece of login information they have a gold mine of login information. Break one vault and you could get hundreds of logins for a persons entire web footprint. So many logins that it is unfeasible someone would even change them all in the event of a breach at 1Password became public.
The other issue is that if 1Passwords servers are breached it is possible for a malicious attacker to MITM you accessing your vault on the 1Password website. Changing the javascript that is served to users so that once you input your Password and Vault Key the malicious code sends those to an attacker. At that point they can just login as you and unlock your vault.
Essentially sticking your vault on 1Password servers is a terrible idea. It is literally putting all your eggs in one basket. I would much rather keep my vault on my own computer where it's safe. Concentrating all our vaults in one central repository is like parking a truck full of cooked steaks next to a lion enclosure.
I've been using eWallet for a very long time, over 10 years for sure. They went 256-bit encryption early on. It's easy to use. They have a MACOS client and iOS client and you can sync between them to keep both up to date. I don't trust other options, especially "cloud" solutions. 1Password is a major lightening rod for hackers. They are "security experts"? I think not. Security experts are very leery of the cloud and the extreme challenges of keeping data safe there.
Hi,
I am from Enpass team and firstly I want to thank you for showing interest in Enpass.
We never charge for an update and our next major update 'Enpass 6' will also be free. Now coming to your point "How can a company survive when all they are getting from a single user is $9.99 and that user gets a lifetime license?!?"
This forum post will give the reply.
Cheers!
i'm not sure you're aware of the hash rate vs time to brute force the encryption we are dealing with here. due the to the rounds of encryption involved, a brute force on the password database will very, very slow. like... tens of thousands of times slower than brute forcing md5 or sha password hashes.
this is not the same as an md5 or SHA password file stolen from a web server password database.
man in the middle won't work without a forged ssl certificate.
you have some concerns, but the actual implementation of what you fear is not feasible.
it is FAR MORE LIKELY that your laptop is stolen, and/or someone (state sponsored) beats you with a lead pipe in a targeted attack. or you get a keylogger on your local machine
or the website you log into is MITM'd. or nuclear war breaks out, etc..
Last edited:
Hi,
I can understand your concern about your database's privacy and security. Actually, Enpass is an offline password manager which means we do not keep and have access to data of any customer. Its mentioned there on our website home page and in knowledge base here. So no question from government arises about the access to customers data. The government is far, even we do not have access to any customer's data.
You can use Enpass without any worry of data leakage even if your device is lost. For more details about please visit Enpass Security page.
Hope this clarifies your query!
I am not talking about a network based MITM attack. I'm talking about their server being breached and the javascript literally replaced by one that intercepts credentials for the attacker. 1Passwords server would be the one handing out the malicious attack code which would then retrieve and send the users password and secret key to attackers.
If the attackers have got the vaults, they've got access to 1Passwords infrastructure and could do anything. It wouldn't be the first time, and frankly a general website breach is probably easier, we've seen it many times all over the web.
And yes I'm aware that breaching encrypted vaults is more difficult than a simple password hash. But it all depends on how strong that secret vault key is and what 1Password mandates users input. Length, complexity etc - And again it won't mean anything if their webserver is breached and the Javascript replaced.
[doublepost=1499950349][/doublepost]
Hello Vikram, thank you for joining the discussion here and clarifying some misconceptions about your company, it is greatly appreciated.
Last edited:
Is it open source?
If not, if you're at that level of paranoia, no go.
Use Keepass instead.
closed source = what's to say the app isn't harvesting your passwords for the vendor?
Paranoia? Sure. But there has to be a level of trust somewhere. If you don't trust say, 1password to keep your data safe, why do you trust Enpass without access to the source?
If not, if you're at that level of paranoia, no go.
Use Keepass instead.
closed source = what's to say the app isn't harvesting your passwords for the vendor?
Paranoia? Sure. But there has to be a level of trust somewhere. If you don't trust say, 1password to keep your data safe, why do you trust Enpass without access to the source?
1Password isn't open source and I've been using that for years. Their money grubbing business tactics are why I won't use them, the security issues with their cloud vault are just a result of them trying to push people to a subscription they don't want or need.
enpass is free for desktop, paid on mobile with no subscription and no data touches their servers. You can verify that with network monitoring. Works great, looks great and they even have a Linux client which 1Password does not.
Keep pushing that enpass.
Nothing is free. Nothing. Linux is a fraction of an OS for the consumer so that's not a selling point to 99.8% of the people.
1Password is great, I cloud sync, have a sub and never had an issue with them. I trust all my data is safe. If not, you know what I will do? Change my passwords somewhere. Big freaking deal. How many of you had your Target data stolen and still have Target cards and shop there? Uh huh. Either go all in or ****. You all are nit picking at this point.
People who are going to tell you how they do not mind this or that feature are worst than the business such as predicted future 1P.
Hello, please leave this space (as long as you are not paid to market these companies) for the people who you cannot convince that the cloud server syncing and subscriptions are ok. What is your need to try to look so smart and fearless if you have no issue? Either address your issue or be happy for what you have that you like.
Paid upgrades now and then are fine, removing features are not fine (especially those features that are the most important initial reason for buying an app on the first place - local syncing).
P.S. Does enpass offer local syncing? I will be moving to it right away if the answer is yes.
Hello, please leave this space (as long as you are not paid to market these companies) for the people who you cannot convince that the cloud server syncing and subscriptions are ok. What is your need to try to look so smart and fearless if you have no issue? Either address your issue or be happy for what you have that you like.
Paid upgrades now and then are fine, removing features are not fine (especially those features that are the most important initial reason for buying an app on the first place - local syncing).
P.S. Does enpass offer local syncing? I will be moving to it right away if the answer is yes.
That's not how things work in the real world.
So a company that sells cars or let's say, fridges won't survive because it can't charge a subscription?
You (and everybody else) HAVE TO buy my $50 fart app since I "DESERVE" a good salary. You know, I need to pay rent, groceries, booze and some "medication" I like to use.
Last edited by a moderator:
I hope 1Password is reading, because it sounds to me like they will lose a significant number of customers to lower cost options, non-subscription options, and to long-time supporters leaving solely on principle.
I for one will leave 1Password if they follow through with this, be it for another local storage company like Enpass or one of the popular competing companies. There are many good options in this space. They'd best price in the possibility they are cutting their own throats will this decision, going from a premier provider to an also-ran in a wink of time.
The momentum of an angry customer can quickly grow into an army of discontent shouting from the rooftops of today's social media, tipping a boulder to rolling down a mountain where you can do nothing but prepare to absorb the damage.
I for one will leave 1Password if they follow through with this, be it for another local storage company like Enpass or one of the popular competing companies. There are many good options in this space. They'd best price in the possibility they are cutting their own throats will this decision, going from a premier provider to an also-ran in a wink of time.
The momentum of an angry customer can quickly grow into an army of discontent shouting from the rooftops of today's social media, tipping a boulder to rolling down a mountain where you can do nothing but prepare to absorb the damage.
Really? Wow.
Dropbox doesn't use zero knowledge encryption. I would never sync my password database to it. That goes for using the standalone version of 1Password, Keepass or anything.
So if you're afraid of 1passwords cloud-based subscription model, you certainly don't want to be storing any sort of password database on Dropbox.
Currently Enpass does not offers local WiFi syncing although it is on their roadmap with no planned date . It supports cloud syncing through Dropbox, Google Drive, One Drive, Box, and Webdav/ownCloud. The Apple Store desktop version and IOS support iCloud. No other version has this support
https://blog.agilebits.com/2017/07/13/why-we-love-1password-memberships/
Posted today. The first half of the post is rah rah subscription (sigh). BUT: they say flat out after that that standalone vaults will not be going away for Mac users in 1Password 6 or 7.
Which is a start, anyway, though no help for Windows users at this point. Try not to laugh too hard at their insistence that this isn't a money grab.
Posted today. The first half of the post is rah rah subscription (sigh). BUT: they say flat out after that that standalone vaults will not be going away for Mac users in 1Password 6 or 7.
Which is a start, anyway, though no help for Windows users at this point. Try not to laugh too hard at their insistence that this isn't a money grab.
I tried using Keepass myself, it was a terrible experience compared to Lastpass and 1password, and a lot of the time I had to copy passwords to the clipboard which is quite insecure.
The way this all goes is, the people who do the best things charge money. Much of open source is basically communism trying to succeed in a capitalist world, and as such no one gets the motivation that they need (which is, enough money) to do a good job. It's why after all these years Linux is still quite halfassed, improving only in instances of commercial interest (Canonical, Redhat, etc)
The way this all goes is, the people who do the best things charge money. Much of open source is basically communism trying to succeed in a capitalist world, and as such no one gets the motivation that they need (which is, enough money) to do a good job. It's why after all these years Linux is still quite halfassed, improving only in instances of commercial interest (Canonical, Redhat, etc)
Quantum computing is just around the corner. What you say now takes a long time will be reduced to nothing. Put your database in the cloud, and you will be had, soon.