The 1Password situation is complicated, and is a lot less sketchy than Bray's summary would lead you to believe. 1Password has not in fact phased out their native applications or required people to use 1Password.com to store passwords (it would be insane for them to do so).
There are four issues that I'm currently aware of with 1Password:
1. They've converted from flat to subscription pricing.
2. They're pushing people to a 1Password-managed cloud sync system instead of the a la carte sync they were doing before.
3. They're promoting cloud vaults and hiding local vaults, and the Windows version of 1Password has apparently never used local vaults.
4. Now that they have 1Password.com, first-time enrollment in 1Password requires you to interact, once, with 1Password.com.
Of these, only (4) is a serious security concern. Their last release further eliminated the native app's dependency on 1Password.com. I'm confident they'll get all the way towards decoupling them, but I'm not them, so grain of salt.
I have no relationship with 1Password other than as a happy customer and as someone who does research in the field they work in. Having said that: I strongly recommend that you be very careful about what password manager you choose to use. The wrong password manager can be drastically less secure than no password manager. I recommend 1Password, and there's currently no other commercial password manager that I recommend. I'm sorry I can't go into more detail than that. :(
Just to be clear, it's still 100% possible to keep your 1Password vault in Dropbox etc and not use the SaaS version [1]. I felt like this fact was buried in the article.
Edit: Here's the link to buy the standalone license [2] which is hard to find on the site now.
In a post from the founder one week ago [3] he said, "We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults."
On the other hand, the fact that they're saying not everyone is ready "yet" seems to imply that they expect to eventually migrate everyone off standalone vaults.
1Password 6 for Windows has been out for a year, and it still doesn't support local vaults. I'm going to consider my own and others skepticism of their commitment to local vaults completely valid.
Given the change to their business model I am concerned they can push an update, where the next time I unlock my vault it syncs my master password and/or decrypted vault to their cloud.
that feature is one of the primary reasons i jumped into the 1password boat from keepass. i have a personal vault and a shared team vault, both sitting on dropbox and shared to various devices and users as required. there is no need to use 1password.com at all.
I use Enpass on Linux, Windows, OS X, Android, and iOS. I also use the Chrome extension. It has a similar user experience to 1Password, but is actually serverless (you sync your encrypted blob to a cloud service of your choice, or not at all). I wish Enpass were open source, but I can understand their decision not to make it so -- its desktop application is free and its mobile apps include a small perpetual license fee ($10 per user, one-time). The format of the encrypted blob is a simple SQLCipher database that uses your (memorized) master password as the secret key, so even though the application is closed source, the data seems to be stored in an open format. Overall, it's probably the best option on the market in a very bad category of software. After evaluating them all, IMO, you should run away from 1Password, Dashlane, Lastpass, etc and use Enpass instead. Even better if the place you sync your encrypted blob is protected by strict 2FA and has good (enforceable) privacy policies.
I'm using Enpass, too. Your sentiments mirror mine exactly. In general I'm surprised they are not getting more press. Perhaps if they were more explicit and open about their underlying data format (the SQLite+SQLCipher database)?
I've recently installed Enpass and I'm currently in the process of evaluating it. I really like the idea so far. My main concern is that they're not charging enough and wonder if the business model is sustainable.
I've used it but there are two major issues they still haven't fixed.
On windows there's some bug with a qt library they're using that, of all things, messes up network connectivity. It does polling of the network interfaces every 30 seconds (I believe) which causes traffic to completely stop for a couple of seconds.
On Android at least, it is EXTREMELY slow. Search works about 10% of the time, and the other 90% of the time you have to kill the app and relaunch it.
I can definitely endorse Enpass as a great product. I never used to believe in password managers but the past year has made a believer of me. I had the passcode to our garage door stored as an encrypted note and ended up getting home for ElixirCon via a late night Uber and rather than wake up the family, I looked it up in Enpass, keyed it and and it was perfect.
I have it on all my Macs, my iPad and iPhone and sync via Dropbox has been flawless so far.
Yes, me too. It took some missteps with shitty Lastpass before I finally found it. I sync directly from my computer to my phone and from my computer to my NAS. I've thought about syncing to Google Drive or some other service like that and it is an option, but so far hasn't been necessary. I don't see why my password data should ever have to leave my machines if I don't want it to. And it doesn't.
Only downside is importing and exporting. I've been on Enpass since I got an android license through myappfree for some reason but exporting to KeePass was a bloody pain...
Hadn't figured out the format of their blob, that could have helped. Might want to get back to it right now....
Good security hygiene is like a diet or exercise plan: the most effective one is the one you will stick with. Most users don't follow good habits because its a giant pain for non technical users to get set up. 1p's subscription plan is aimed squarely at those people and I think its a great idea. It's reasonably secure and easy to set up everywhere. That is a big deal in my mind. Yes, its not bullet proof but its a 100000% better than what the current status quo is.
Additionally, managing your own password vault is a lot like managing your own email server. There's advantages but I feel that the disadvantages are substantial. For one, the likelihood that you, one person, are going to do a better job of securing your stuff than a dedicated team is optimistic at best. Keeping your password vault safe is literally this companies full time gig and they have entire teams dedicated to it. Do I think they are infallible? Of course not. I'm not an idiot. But I think they are going to do a better job than me at keeping my stuff safe. I happily will pay for that every month.
The authors point about the 1p web portal is a good one. I don't use it out of similar concerns. Besides that, I really could not be happier with 1p as a password management solution. They have a good track record (no hacks that I am aware of) and I want the company I trust with literally the keys to my kingdom to be profitable and motivated to keep improving.
> Additionally, managing your own password vault is a lot like managing your own email server.
As someone who actually does both, this is IMHO backwards. My "password vault" is a GPG file I open in emacs and cut and paste from. It's trivially copied and maintained, extends cleanly to "non-password" secret info (e.g. credit cards, my kids' SSNs), involves no third party systems beyond the operation of the software, is trivially backed up via straightforward file copies that I do all the time anyway, and just in general works better than the rather complicated ecosystem of commercial offerings.
You don't have to "manage your own password vault" thought. I sync my 1Password vault via iCloud. It's like two clicks to turn it on. And surely Apple have an even bigger and better team dedicated to keeping my data safe?
With a couple UI/UX enhancements, Apple could take over the iOS/MacOS marketshare of these products with Keychain. It's already possible to use keychain in your workflow for password management, it's just not super convenient.
I'd switch from Lastpass, if Apple made it easier to autofill and autogenerate passwords and added support for sharing / teams.
macOS/iCloud keychain does the job for me, but agreed that that user experience can be much better. If not a Safari password that's not setup for autofill, opening Keychain access, searching for the right credential, then authenticating to see the password gets tedious real fast. Same with being on iOS of opening Safari > Settings > Passwords, authenticating, and scrolling through a list of passwords to choose from with a final Copy/Paste action in the end. At the very least Apple should make credential management a lot more easier.
At our company we use keepass2 with a db file synced by dropbox.
Works nicely. Keepass can save all sorts of stuff alongside passwords (like credentials, api-tokens...) and there is an app too (for android at least).
Might get a bit clunky if lots of people change a lot of stuff all the time but for us it is not a problem.
I totally agree with Tim Bray's post. The bottom line is that the pestering that I get from AgileBits makes me, as a customer, really doubt their integrity after trusting them for years. Why are they trying to force me do to this? Obviously because they want more money (but are betraying their own oft-stated security attitudes) and maybe even for some other reason (the backdoor thing?).
IMHO this part is where the nail is hit right on the head:
>Why is AgileBits doing this? · For the same reason that Adobe has been pressuring its customers, for years now, to start subscribing to its product, rather than buying each successive version of each app. A subscription business is much nicer to operate than one where you have to go out and re-convince people to re-buy your software.
It is the part (common to many other software vendors) where they stress the "I am doing this for your own good" that irks me.
You want to change your business model? Fine.
Do you believe that this new one is better? Fine.
Do you want to convince me that you are changing the "old" model (which BTW you used until a nanosecond ago) becasue it is better for me? Hmmm.
The new model is better for you if you want the company to make enough money to be able to support the product and put out new releases to fix bugs and vulnerabilities.
* I have no problem with subscription pricing, software that is maintained needs to be sold in a subscription model, period. Anyone who thinks otherwise is deceiving themselves.
* I do have a problem with entering my password (that is used to encrypt my data) into a JavaScript environment.
Give me native apps, charge me in a subscription model, don't force me into a web site version, and all will be fine.
I'm a 1Password user, and have synced my vault between devices through both Dropbox and iCloud at various points. I can't help but feel like either there's something I'm missing or something everyone else is missing, which statistically means that it's most likely me. But:
When I sync with iCloud, Apple can't read my vault--even though it's on their servers, it's strongly encrypted with my passphrase, and the encryption/decryption happens on my devices.
When I sync with Dropbox, Dropbox can't read my vault--even though it's on their servers, it's strongly encrypted with my passphrase, and the encryption/decryption happens on my devices.
When I sync with AgileBit's own cloud... doesn't the sentence go exactly the same way? Quoting from their own current web page: "Every time you use 1Password, your data is encrypted before a single byte ever leaves your devices."
So even if the vault is on AgileBits' own servers, isn't it _no more and no less secure_ than the third-party syncing solutions they offer? Maybe that's not the case, and things actually function differently--but I haven't seen anyone describe why that would be the case. Again, maybe I'm just missing it. But I keep missing it. And it's not in Tim Bray's article, either. He's fine with putting it on somebody else's server if that server is run by Dropbox, but not if it's run by the company that he's trusting to encrypt it against people hacking Dropbox? How is this is materially different than using iCloud, Dropbox, or any other solution that puts a copy of my vault on someone else's servers for syncing purposes?
If the real argument is that there should always be a way to use a password manager with _no_ cloud-based syncing solution, I'm on board with that; it'd be a requirement for some businesses. But that doesn't seem to be the argument that's being made. And if the real argument is that you don't like subscription pricing models, that's fine. I don't like them, either. But that's not an argument about security--it's an argument about pricing models.
The one place that 1Password doesn't meet my needs is in ChromeOS.
The browser plugin requires the machine you're on to have the 1Password app running in the background, which is how it gets its data from the local (and synced) vault. But there is no 1Password ChromeOS app (and I don't think it's really even possible for there to be something like that in ChromeOS), so the browser plugin does not work in Chrome on ChromeOS devices.
A while back, I think the 1Password synced vault files would also have an HTML file you could load up in a browser, which would then communicate locally with the encrypted vault to gain access to your passwords, which was a workaround on ChromeOS. I'm not sure of the security implications of that process, but it isn't supported anymore.
I really like the locally synced vault with browser plugin functionality, but the fact that there isn't a solution on ChromeOS has been a sticking point for me. I've gone the route of having Google store 1Password generated passwords via Chrome's password features, for sites that I regularly access via ChromeOS, which works, but feels excessive.
I've been using password managers (KeePass, in my case) for about a year and all I can think is, why I didn't start using them earlier. It is cheaper to generate a long, random password using alphanumerical and special characters than trying to think a clever yet memorable unique password by myself, and probably more secure.
Plus, it's true that you end up storing other sensible things that are not passwords, such as API or recovery keys, because it's acts like a vault.
> Plus, it's true that you end up storing other sensible things that are not passwords, such as API or recovery keys, because it's acts like a vault.
I think this is one aspect that gets often overlooked. Keepass especially is pretty flexible for storing all sorts of small things that you feel like needing extra security and want to carry with you. Any entry in Keepass can have arbitrary key-value pairs in addition to the common fields, and if that is not enough you can also embed/attach files into the entry. For Windows especially Keepass also can store ssh-keys and function as half-decent ssh-agent.
Password managers are indeed a dramatic quality-of-life boost. Social security numbers for important family members, software license keys...one stop shopping for any sensitive or easily-misplaced information in my life.
More and more, I'm recommending that friends and family get a Mooltipass[1]. It's open source, it works on any platform that supports USB HID (including mobile devices using an OTG cable), it's got multiple browser plugins, and it allows you to have "two factor" auth by seperating the pin-protected crypto key from the device itself using smart cards.
The device can be backed up, and the cards can be backed up too (since unfortunately it's not doing the crypto on the card, the card is just a verifiable pin-protected way to store the AES key) and it's an obscure enough looking device that it's not yet an easy theft target.
The only cloud based password manager I'm willing to use is Dashlane[1]. It's supposedly "zero knowledge", and although you can never be 100% there isn't some bug waiting around to be exploited, it's a compromise I'm willing to make (the lesser evil). They also have several complementing features like encrypted notes, auto saving receipts, credit cards, batch password changer with quite a few major sites.
I'm not affiliated with them, it's just I never see them on HN compared to mainstream applications like LastPass, 1Pass, OneLogin and such.. and I think their services are better. Plus their support is great.
On the other hand, if everybody starts using it maybe it'll become a bigger target for hackers. so don't tell everyone :)
If I understand correctly, the main problem here is that if a password manager at some point asks you for a password in an online environment, they're subject to coercion. This is especially dangerous if you're using auto-updating code like Javascript in a browser or code on a remote service, because it could get backdoored at any time and you wouldn't notice.
Isn't the real problem auto-updating code with access to a network? 1password.com is certainly another vector that fits this description, but if you don't trust AgileBits to manage 1password.com securely, why would you trust them to manage the app on your machine securely? Or the auto-updating Chrome plugin?
I'm not denying that there's more surface area by creating a login, but I think it's a false dichotomy to say that the app is "offline" and the website is "online". They both have network access, and if AgileBits or a random hacker can change the app's code, they'll do that. That change will be mindlessly delivered to your computer, and the bad guys will have all your passwords.
Why is the 1password login the same as the encryption password for all my other passwords? There is absolutely no reason why I should ever send them my encryption password. If they would make these two passwords separate and handle all encryption/decryption locally, I think that would solve the issue for me.
Because they don't transmit your encryption password.
Authentication is not done by sending them your encryption password, but instead the derivation of an SRP static secret (https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...) from your password (PBKDF, XOR'd with HKDF of the entropy-boosting pepper that they call the "Secret Key"), and performing a session key exchange handshake, basically like a (non-ephemeral) Diffie Hellman. They then encrypt all future communications (inside of TLS) with the transient session key.
This gets you three things in one swoop:
- Authentication of user
- Authentication of the server (if the remote server doesn't have the stored RSA counterpart of your derived SRP static secret, the exchange can't complete)
- An additional encrypted tunnel independent of TLS, so transport security isn't reliant solely on TLS (Cloudbleed, etc). (The contents being moved around are encrypted yet again)
And:
- User doesn't have to remember a separate password.
- The password and pepper never touch the network, only (non-reversible) session tokens do.
- Having access to traffic inside of TLS (corporate or malicious TLS endpoint interception, for example) still gets you nothing.
There are valid criticisms of 1Password, but you're literally criticizing them for something they've gone out of the way explicitly spent engineering hours solving in a way that not many services have even bothered thinking about.
I'm glad to see this getting more attention because it has been brewing for months and 1Password is essentially doing what they promised they wouldn't - forcing users to the subscription/online model my phasing out support for local vaults.
I'm not mad at the subscription. I'd pay them the few bucks a month happily for what is an excellent application cross-platform. I AM mad at the forced cloud sync.
My current plan is to keep using 1PW 4 on Windows as long as possible and then re-evaluate when I absolutely have to. KeePass is a close alternative, but nowhere near as polished at this point.
Polished as in having a more "modern"/user friendly UI? I'd say the UI is the least important part of a password manager. Especially if you use an extension for autofilling/autosaving, you barely ever see it.
Over time, it's become clear to me that the only business model with true longevity is open source. When I was first looking into password managers several years ago, I wanted something very simple: an iOS tool that could securely and locally encrypt a data blob with a memorized master password. 1Password did this job well for many years. Unfortunately, as with many App Store offerings, the pressing need for Agile Bits to grow has distorted the fundamental nature of the product. I was first alarmed when they added TouchID authentication: a seemingly innocuous feature, but one that necessarily stored your master password somewhere other than your head. (Fortunately, this was disabled by default.) Subsequently, features got added that stored your data on remote servers and even required you to send your master password over the web. I ignored this for the most part, but recent talk of this becoming the only use case for 1Password has put me on red alert. It's evidently time for me to start looking into OSS alternatives for my password manager, just as I have with a number of other tools in recent years.
Unfortunately, it seems that many companies these days are more interested in developing services rather than deftly solving specific user problems. Whether or not this is financially sound, it's an ongoing assault on my workflow. I can't live in fear of every utility on my system pivoting to a new business model! Fundamental software needs to be stable, and there's a good reason why most of our essentials (compression, video playback, web browsing, etc.) are free and open source.
Going forward, I hope we discover more ways to collectively fund open source software projects, large and small, because everything else is just an IOU for another future shakeup.
I totally missed this switch by AgileBits. Does anyone know how to ensure that the data file continues to be synced to Dropbox or iCloud, not AgileBits? (Looking into my configuration, it would appear that AgileBits has silently moved my data from iCloud to the AgileBits cloud.)
This is only tangentially related, but I believe it's time to have a unified login standard for the web. Not in the OAuth sense, as that's hard to do, but just a small, machine-readable file that tells your password manager "to log this user in, just submit credentials to /whatever/url/".
That way, your password manager would show a "login" button on the browser's toolbar when you visited any page in a site, you'd click it, and you'd be logged in (or possibly be asked for a two-factor code or be redirected to a two-factor page) immediately and certainly.
Is there anyone here who's working on a password manager who'd like to develop this with me? I've been wanting to write a spec and Django/Python implementation of it.
No, No. We shouldn't send credentials to anywhere. We should be using things like client certs or SRP. We need to solve the UI and UX problems and actually create better systems, not keep patching over the same broken system.
It's been tried in various flavors of that. The one I liked the best was OpenID. You designate who you trust to actually log you in, which could even be localhost if you set your redirects right, then provide a URL as your "login." There was a somewhat standardized set of data that could go back and forth, and if a specific site needed more, it could ask for it on it's own.
The problem, I think, is that every site wants to own the web, and doesn't want to give up anything, let alone login. Facebook and Twitter and Google all want to be the auth providers to the net, but then you have to trust them in a much more elevated way than you should, and their motives are more around building a profile of you and where you go on the net than being a secure auth provider. If Facebook started supporting U2F (they may, I don't know), Yubikey sales would explode tomorrow and the web may be a safer place, who knows.
[+] [-] tptacek|8 years ago|reply
There are four issues that I'm currently aware of with 1Password:
1. They've converted from flat to subscription pricing.
2. They're pushing people to a 1Password-managed cloud sync system instead of the a la carte sync they were doing before.
3. They're promoting cloud vaults and hiding local vaults, and the Windows version of 1Password has apparently never used local vaults.
4. Now that they have 1Password.com, first-time enrollment in 1Password requires you to interact, once, with 1Password.com.
Of these, only (4) is a serious security concern. Their last release further eliminated the native app's dependency on 1Password.com. I'm confident they'll get all the way towards decoupling them, but I'm not them, so grain of salt.
I have no relationship with 1Password other than as a happy customer and as someone who does research in the field they work in. Having said that: I strongly recommend that you be very careful about what password manager you choose to use. The wrong password manager can be drastically less secure than no password manager. I recommend 1Password, and there's currently no other commercial password manager that I recommend. I'm sorry I can't go into more detail than that. :(
[+] [-] tedmiston|8 years ago|reply
Edit: Here's the link to buy the standalone license [2] which is hard to find on the site now.
In a post from the founder one week ago [3] he said, "We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults."
[1]: https://support.1password.com/sync-with-dropbox/
[2]: https://agilebits.com/store
[3]: https://blog.agilebits.com/2017/07/13/why-we-love-1password-...
[+] [-] rcthompson|8 years ago|reply
[+] [-] mockindignant|8 years ago|reply
If you want to edit entries or delete you have to use 4.x, which did not seem to support OTP.
They have made no commitment for bringing windows support for local vaults to feature parity with the mac client.
[+] [-] tw04|8 years ago|reply
1Password 6 for Windows has been out for a year, and it still doesn't support local vaults. I'm going to consider my own and others skepticism of their commitment to local vaults completely valid.
[+] [-] wepple|8 years ago|reply
Maybe time for an open source password manager?
[+] [-] clairity|8 years ago|reply
[+] [-] evantahler|8 years ago|reply
[+] [-] malchow|8 years ago|reply
[+] [-] netrap|8 years ago|reply
[+] [-] pixelmonkey|8 years ago|reply
[+] [-] joekrill|8 years ago|reply
[+] [-] purvis|8 years ago|reply
[+] [-] tw04|8 years ago|reply
On windows there's some bug with a qt library they're using that, of all things, messes up network connectivity. It does polling of the network interfaces every 30 seconds (I believe) which causes traffic to completely stop for a couple of seconds.
On Android at least, it is EXTREMELY slow. Search works about 10% of the time, and the other 90% of the time you have to kill the app and relaunch it.
[+] [-] fuzzygroup|8 years ago|reply
I have it on all my Macs, my iPad and iPhone and sync via Dropbox has been flawless so far.
[+] [-] mnm1|8 years ago|reply
[+] [-] raquo|8 years ago|reply
[+] [-] epse|8 years ago|reply
[+] [-] vikingcaffiene|8 years ago|reply
Additionally, managing your own password vault is a lot like managing your own email server. There's advantages but I feel that the disadvantages are substantial. For one, the likelihood that you, one person, are going to do a better job of securing your stuff than a dedicated team is optimistic at best. Keeping your password vault safe is literally this companies full time gig and they have entire teams dedicated to it. Do I think they are infallible? Of course not. I'm not an idiot. But I think they are going to do a better job than me at keeping my stuff safe. I happily will pay for that every month.
The authors point about the 1p web portal is a good one. I don't use it out of similar concerns. Besides that, I really could not be happier with 1p as a password management solution. They have a good track record (no hacks that I am aware of) and I want the company I trust with literally the keys to my kingdom to be profitable and motivated to keep improving.
[+] [-] ajross|8 years ago|reply
As someone who actually does both, this is IMHO backwards. My "password vault" is a GPG file I open in emacs and cut and paste from. It's trivially copied and maintained, extends cleanly to "non-password" secret info (e.g. credit cards, my kids' SSNs), involves no third party systems beyond the operation of the software, is trivially backed up via straightforward file copies that I do all the time anyway, and just in general works better than the rather complicated ecosystem of commercial offerings.
Works poorly in a phone, though.
[+] [-] kalleboo|8 years ago|reply
[+] [-] harrisonjackson|8 years ago|reply
I'd switch from Lastpass, if Apple made it easier to autofill and autogenerate passwords and added support for sharing / teams.
[+] [-] milhous|8 years ago|reply
[+] [-] LordHeini|8 years ago|reply
[+] [-] netrap|8 years ago|reply
[+] [-] greggyb|8 years ago|reply
Or are you sharing one master password among multiple employees?
[+] [-] irrational|8 years ago|reply
[+] [-] braink|8 years ago|reply
[+] [-] jaclaz|8 years ago|reply
>Why is AgileBits doing this? · For the same reason that Adobe has been pressuring its customers, for years now, to start subscribing to its product, rather than buying each successive version of each app. A subscription business is much nicer to operate than one where you have to go out and re-convince people to re-buy your software.
It is the part (common to many other software vendors) where they stress the "I am doing this for your own good" that irks me.
You want to change your business model? Fine.
Do you believe that this new one is better? Fine.
Do you want to convince me that you are changing the "old" model (which BTW you used until a nanosecond ago) becasue it is better for me? Hmmm.
[+] [-] tedmiston|8 years ago|reply
[+] [-] jwr|8 years ago|reply
* I have no problem with subscription pricing, software that is maintained needs to be sold in a subscription model, period. Anyone who thinks otherwise is deceiving themselves.
* I do have a problem with entering my password (that is used to encrypt my data) into a JavaScript environment.
Give me native apps, charge me in a subscription model, don't force me into a web site version, and all will be fine.
[+] [-] chipotle_coyote|8 years ago|reply
When I sync with iCloud, Apple can't read my vault--even though it's on their servers, it's strongly encrypted with my passphrase, and the encryption/decryption happens on my devices.
When I sync with Dropbox, Dropbox can't read my vault--even though it's on their servers, it's strongly encrypted with my passphrase, and the encryption/decryption happens on my devices.
When I sync with AgileBit's own cloud... doesn't the sentence go exactly the same way? Quoting from their own current web page: "Every time you use 1Password, your data is encrypted before a single byte ever leaves your devices."
So even if the vault is on AgileBits' own servers, isn't it _no more and no less secure_ than the third-party syncing solutions they offer? Maybe that's not the case, and things actually function differently--but I haven't seen anyone describe why that would be the case. Again, maybe I'm just missing it. But I keep missing it. And it's not in Tim Bray's article, either. He's fine with putting it on somebody else's server if that server is run by Dropbox, but not if it's run by the company that he's trusting to encrypt it against people hacking Dropbox? How is this is materially different than using iCloud, Dropbox, or any other solution that puts a copy of my vault on someone else's servers for syncing purposes?
If the real argument is that there should always be a way to use a password manager with _no_ cloud-based syncing solution, I'm on board with that; it'd be a requirement for some businesses. But that doesn't seem to be the argument that's being made. And if the real argument is that you don't like subscription pricing models, that's fine. I don't like them, either. But that's not an argument about security--it's an argument about pricing models.
[+] [-] moskie|8 years ago|reply
The browser plugin requires the machine you're on to have the 1Password app running in the background, which is how it gets its data from the local (and synced) vault. But there is no 1Password ChromeOS app (and I don't think it's really even possible for there to be something like that in ChromeOS), so the browser plugin does not work in Chrome on ChromeOS devices.
A while back, I think the 1Password synced vault files would also have an HTML file you could load up in a browser, which would then communicate locally with the encrypted vault to gain access to your passwords, which was a workaround on ChromeOS. I'm not sure of the security implications of that process, but it isn't supported anymore.
I really like the locally synced vault with browser plugin functionality, but the fact that there isn't a solution on ChromeOS has been a sticking point for me. I've gone the route of having Google store 1Password generated passwords via Chrome's password features, for sites that I regularly access via ChromeOS, which works, but feels excessive.
[+] [-] danirod|8 years ago|reply
Plus, it's true that you end up storing other sensible things that are not passwords, such as API or recovery keys, because it's acts like a vault.
[+] [-] zokier|8 years ago|reply
I think this is one aspect that gets often overlooked. Keepass especially is pretty flexible for storing all sorts of small things that you feel like needing extra security and want to carry with you. Any entry in Keepass can have arbitrary key-value pairs in addition to the common fields, and if that is not enough you can also embed/attach files into the entry. For Windows especially Keepass also can store ssh-keys and function as half-decent ssh-agent.
[+] [-] macintux|8 years ago|reply
[+] [-] rrix2|8 years ago|reply
The device can be backed up, and the cards can be backed up too (since unfortunately it's not doing the crypto on the card, the card is just a verifiable pin-protected way to store the AES key) and it's an obscure enough looking device that it's not yet an easy theft target.
[1]: https://www.themooltipass.com/
[+] [-] danr4|8 years ago|reply
I'm not affiliated with them, it's just I never see them on HN compared to mainstream applications like LastPass, 1Pass, OneLogin and such.. and I think their services are better. Plus their support is great.
On the other hand, if everybody starts using it maybe it'll become a bigger target for hackers. so don't tell everyone :)
[1] http://dashlane.com
[+] [-] trjordan|8 years ago|reply
Isn't the real problem auto-updating code with access to a network? 1password.com is certainly another vector that fits this description, but if you don't trust AgileBits to manage 1password.com securely, why would you trust them to manage the app on your machine securely? Or the auto-updating Chrome plugin?
I'm not denying that there's more surface area by creating a login, but I think it's a false dichotomy to say that the app is "offline" and the website is "online". They both have network access, and if AgileBits or a random hacker can change the app's code, they'll do that. That change will be mindlessly delivered to your computer, and the bad guys will have all your passwords.
[+] [-] grimborg|8 years ago|reply
[+] [-] analogist|8 years ago|reply
Authentication is not done by sending them your encryption password, but instead the derivation of an SRP static secret (https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco...) from your password (PBKDF, XOR'd with HKDF of the entropy-boosting pepper that they call the "Secret Key"), and performing a session key exchange handshake, basically like a (non-ephemeral) Diffie Hellman. They then encrypt all future communications (inside of TLS) with the transient session key.
This gets you three things in one swoop:
- Authentication of user
- Authentication of the server (if the remote server doesn't have the stored RSA counterpart of your derived SRP static secret, the exchange can't complete)
- An additional encrypted tunnel independent of TLS, so transport security isn't reliant solely on TLS (Cloudbleed, etc). (The contents being moved around are encrypted yet again)
And:
- User doesn't have to remember a separate password.
- The password and pepper never touch the network, only (non-reversible) session tokens do.
- Having access to traffic inside of TLS (corporate or malicious TLS endpoint interception, for example) still gets you nothing.
There are valid criticisms of 1Password, but you're literally criticizing them for something they've gone out of the way explicitly spent engineering hours solving in a way that not many services have even bothered thinking about.
[+] [-] lowbloodsugar|8 years ago|reply
[+] [-] darrmit|8 years ago|reply
I'm not mad at the subscription. I'd pay them the few bucks a month happily for what is an excellent application cross-platform. I AM mad at the forced cloud sync.
My current plan is to keep using 1PW 4 on Windows as long as possible and then re-evaluate when I absolutely have to. KeePass is a close alternative, but nowhere near as polished at this point.
[+] [-] suprfnk|8 years ago|reply
The story of a lot of open source projects.
[+] [-] m3Lith|8 years ago|reply
Anyways, there is a more stylish web UI for Keepass: https://keeweb.info/
[+] [-] archagon|8 years ago|reply
Unfortunately, it seems that many companies these days are more interested in developing services rather than deftly solving specific user problems. Whether or not this is financially sound, it's an ongoing assault on my workflow. I can't live in fear of every utility on my system pivoting to a new business model! Fundamental software needs to be stable, and there's a good reason why most of our essentials (compression, video playback, web browsing, etc.) are free and open source.
Going forward, I hope we discover more ways to collectively fund open source software projects, large and small, because everything else is just an IOU for another future shakeup.
[+] [-] malchow|8 years ago|reply
EDIT: Found: https://support.1password.com/sync-with-dropbox/
[+] [-] StavrosK|8 years ago|reply
That way, your password manager would show a "login" button on the browser's toolbar when you visited any page in a site, you'd click it, and you'd be logged in (or possibly be asked for a two-factor code or be redirected to a two-factor page) immediately and certainly.
Is there anyone here who's working on a password manager who'd like to develop this with me? I've been wanting to write a spec and Django/Python implementation of it.
[+] [-] jimktrains2|8 years ago|reply
No, No. We shouldn't send credentials to anywhere. We should be using things like client certs or SRP. We need to solve the UI and UX problems and actually create better systems, not keep patching over the same broken system.
[+] [-] eddieroger|8 years ago|reply
The problem, I think, is that every site wants to own the web, and doesn't want to give up anything, let alone login. Facebook and Twitter and Google all want to be the auth providers to the net, but then you have to trust them in a much more elevated way than you should, and their motives are more around building a profile of you and where you go on the net than being a secure auth provider. If Facebook started supporting U2F (they may, I don't know), Yubikey sales would explode tomorrow and the web may be a safer place, who knows.