-- That's also why I don't use a password service: To me it seems like the first place a hacker would attack.
To put it bluntly, that's fucking stupid.
How the fuck are you going to have a complex, random, 60-characer password for, say Gmail without a password manager. Do you have an eidetic memory that you can make unlimited passwords of this length without every forgetting a single one or do you use just a few simple passwords with a couple slight variations? if you use no password manager than you're using the latter… which is fucking stupid.
You don't even need to use a digital password manager. You can keep it written down in a notebook, if you wish, even with some minor encryption so it's not completely plaint text. This works because the person who breaks into your home to steal your valuables isn't likely going to be wanting to steal your online logins.
But I'm pretty sure you're referring only to apps like 1Password that save only a local vault, which is it's own encrypted vault, which should also be protected by having File Vault to encrypt your entire disc, and soon even more low-level encryption with APFS. None of these things are the first place a hacker would attack. The first thing they're think about is getting access to a machine, and usually not some nobody, but server farms, which means you don't have to keep a single fucking piece of data on those servers.
The 1Password app makes this easy by allowing you to directly transfer your vault to other devices locally through an ad-hoc network, instead of through a file sharing service. How how exactly would this be the first place a hacker would attack if there are so many other security checkpoints in the way before you even get to your 1Password vault? Why not go after ones iCloud account, which has access to an excessive number of actual activities performed by users, but also a prerequisite to even see your 1Password vault synced via iCloud, if you choose to go that route?
I use SplashID, which has local sync options and a lifetime license that you can buy at a reasonable price that gives you unlimited updates for as long as they make the product.
I rely upon 1Password on all my Apple devices, every day. I have abandoned some products when they transitioned to subscription models, and paid for others. That said, I too work in the business of software and completely understand the dilemma that AgileBits is dealing with. Simply put, a "buy once, support forever" model is unsustainable and will eventually kill your business, no matter how much people say they want it, no matter how much it "feels" like the right thing to do.
I am certainly willing to give AgileBits the benefit of the doubt for now. They are trying to balance support and survival, and there aren't a lot of good options.
-- That's also why I don't use a password service: To me it seems like the first place a hacker would attack.
To put it bluntly, that's fucking stupid.
How the fuck are you going to have a complex, random, 60-characer password for, say Gmail without a password manager. Do you have an eidetic memory that you can make unlimited passwords of this length without every forgetting a single one or do you use just a few simple passwords with a couple slight variations? if you use no password manager than you're using the latter… which is fucking stupid.
You don't even need to use a digital password manager. You can keep it written down in a notebook, if you wish, even with some minor encryption so it's not completely plaint text. This works because the person who breaks into your home to steal your valuables isn't likely going to be wanting to steal your online logins.
But I'm pretty sure you're referring only to apps like 1Password that save only a local vault, which is it's own encrypted vault, which should also be protected by having File Vault to encrypt your entire disc, and soon even more low-level encryption with APFS. None of these things are the first place a hacker would attack. The first thing they're think about is getting access to a machine, and usually not some nobody, but server farms, which means you don't have to keep a single fucking piece of data on those servers.
The 1Password app makes this easy by allowing you to directly transfer your vault to other devices locally through an ad-hoc network, instead of through a file sharing service. How how exactly would this be the first place a hacker would attack if there are so many other security checkpoints in the way before you even get to your 1Password vault? Why not go after ones iCloud account, which has access to an excessive number of actual activities performed by users, but also a prerequisite to even see your 1Password vault synced via iCloud, if you choose to go that route?
You make the assumption that a hacker is trying to directly attack you as an individual...as opposed to an opportunistic attack that scoop up vaults on infected computers. Any attack vector that deposits a keylogger on your machine can also easily look for and sweep up the agilebit folders to grab your vault and exfiltrate it. Or just unencrypt it on your box and send all that data to its control server.
The vault file format isn't hidden and there are cmd line apps that provide access if you have the master password.
Lastpass also has a command line capability but with 2FA at least it doesn't let you sync the vault from the server. That's not as helpful since typically you have it cached locally anyway.
but you can clear the cache after encrypting a backup and remove this vulnerablity.
Whats easier? Breaking into the average windows box, installing a keylogger and grabbing any 1Pass/LastPass vaults it finds or breaking into 1Pass or LastPass servers?
So the whole "local is safer" thing is like installing a high grade deadbolt on a flimsy door.
If someone can ransomeware your box they could also easily steal your password vault and master password.
I rely upon 1Password on all my Apple devices, every day. I have abandoned some products when they transitioned to subscription models, and paid for others. That said, I too work in the business of software and completely understand the dilemma that AgileBits is dealing with. Simply put, a "buy once, support forever" model is unsustainable and will eventually kill your business, no matter how much people say they want it, no matter how much it "feels" like the right thing to do.
I am certainly willing to give AgileBits the benefit of the doubt for now. They are trying to balance support and survival, and there aren't a lot of good options.
While this is true, going the subscription route shouldn't have to be the only solution (if that's what it ends up being). They could just charge a nominal fee for the buy-in, and something reasonable for major upgrades (even if the cost is similar to the subscription model) And really, the issue for me isn't cost so much, as it is being beholden to yet another monthly bloodsucker that I have to maintain (despite the option of having the charge hit my card or whatever).
I don't trust AgileBits any more.
This thug-boot insistence towards monthly subscriptions and (according to them) beneficial cloud storage, smells more like a gigantic revenue source has been added by the board. Being a heartless company based inside a Five Eyes member country, it wouldn't surprise me AgileBits found being friendly to multiple government agencies brings with it, untold economic benefits. F' AgileBits and 1Password, I'm out!
Does @thomasg have any evidence for the rant about Agilebits/1Password?
There has been no 'insistence' to move to 1Password.com from using Dropbox or iCloud or WiFi to sync iPhone & Mac. I found 1Password.com benefits to be compelling with no compromise of security.
I think it was when 1Password 6 came out, I contacted Agilebits asking if they would force users to use their cloud servers for storage, as it's a big no no for me. I was then told by the support staff/dave by Agilebits that this would never be the case.
I to my horror read an article where they more or less back down on what I was told ... well time to look for a different product as I do not want to pay a monthly fee to use a product I paid for (I also would like to see Adobe beep beep beep).
The monthly fee model is only there to secure a steady income, there is no other reason.
If they screw up 1Password hopefully iCloud Keychain will have picked up the slack by then.
Keychain cannot replace 1Password as it does not have any browser plugin (except for Safari which plugs into OSX/IOS) , and it's only on work on Apple products.
Also I am not 100% sure that Apple is much better than 1password to protect our data.
Only reason to use it would be that it's free, but then there are probably other options.
I found 1Password.com benefits to be compelling with no compromise of security.
No compromise compared to what? Certainly not compared to locally managed storage.
Want to bet it's easier to break into your box than their servers? The big breakins to corporate servers make headlines but given the number of compromised windows boxes I'd say that local storage is equally vulnerable if not more so.
-- That's also why I don't use a password service: To me it seems like the first place a hacker would attack.
To put it bluntly, that's fucking stupid.
How the fuck are you going to have a complex, random, 60-characer password for, say Gmail without a password manager. Do you have an eidetic memory that you can make unlimited passwords of this length without every forgetting a single one or do you use just a few simple passwords with a couple slight variations? if you use no password manager than you're using the latter… which is fucking stupid.
You don't even need to use a digital password manager. You can keep it written down in a notebook, if you wish, even with some minor encryption so it's not completely plaint text. This works because the person who breaks into your home to steal your valuables isn't likely going to be wanting to steal your online logins.
But I'm pretty sure you're referring only to apps like 1Password that save only a local vault, which is it's own encrypted vault, which should also be protected by having File Vault to encrypt your entire disc, and soon even more low-level encryption with APFS. None of these things are the first place a hacker would attack. The first thing they're think about is getting access to a machine, and usually not some nobody, but server farms, which means you don't have to keep a single fucking piece of data on those servers.
The 1Password app makes this easy by allowing you to directly transfer your vault to other devices locally through an ad-hoc network, instead of through a file sharing service. How how exactly would this be the first place a hacker would attack if there are so many other security checkpoints in the way before you even get to your 1Password vault? Why not go after ones iCloud account, which has access to an excessive number of actual activities performed by users, but also a prerequisite to even see your 1Password vault synced via iCloud, if you choose to go that route?
You make the assumption that a hacker is trying to directly attack you as an individual...as opposed to an opportunistic attack that scoop up vaults on infected computers. Any attack vector that deposits a keylogger on your machine can also easily look for and sweep up the agilebit folders to grab your vault and exfiltrate it. Or just unencrypt it on your box and send all that data to its control server.
The vault file format isn't hidden and there are cmd line apps that provide access if you have the master password.
Lastpass also has a command line capability but with 2FA at least it doesn't let you sync the vault from the server. That's not as helpful since typically you have it cached locally anyway.
but you can clear the cache after encrypting a backup and remove this vulnerablity.
Whats easier? Breaking into the average windows box, installing a keylogger and grabbing any 1Pass/LastPass vaults it finds or breaking into 1Pass or LastPass servers?
So the whole "local is safer" thing is like installing a high grade deadbolt on a flimsy door.
If someone can ransomeware your box they could also easily steal your password vault and master password.
Yeah, social engineering its way in compromising the device your in its unlocked state is the way to go.
Also, 1password would be just as safe as the device with the weakest security your logging in, say you have an Android Phone with an old unpatched version.
Once they got that, well through sideloading, exploits chains, etc, they can eventually get access to all your other passwords.
Best thing to keep something secure is having the password unique to a service (or even device). That way, if your compromised you just remove access from this device/service combination.
…every change they ever made has been driven by maximizing sales and profit over giving users what they want.
If the end of your sentence were true then they can't be focusing on maximizing sales and profits.
I agree with you in this case, but disagree with your statement in general. You can easily focus on maximizing sales and profits while not giving customers what they want. However, unless you've somewhat got a monopoly (or insane brand reputation to burn through), it will be a short-lived optimization.
Unfortunately, in our quarter-to-quarter based economy, it's not all that uncommon. It just isn't usually all or nothing of one or the other.
Soli said: How is that not different than a hacker getting access to iCloud, Dropbox, or any other major server with millions of accounts? You do not understand that getting access to 1Password's servers does not mean they have access to any single user account vault because 1Password doesn't keep keys to anyone's vault? It's no different than syncing your 1Password vault through Dropbox and Dropbox being hacked. Even if your account is compromised your vault is still protected by its own encryption and would require its password to be unlocked, which is why one should use a very long and secure pass-phrase for their vault.
Yep, when I looked at 1Password's page or white-paper on it, it looked like a pretty good implementation. And, yes, if you use anything but local, you're somewhat less secure no matter what service it is. If you store an encrypted file on Dropbox, there are a few layers of security there too. Both are relatively safe, just not as safe as not on the cloud at all.
-- That's also why I don't use a password service: To me it seems like the first place a hacker would attack.
To put it bluntly, that's fucking stupid.
How the fuck are you going to have a complex, random, 60-characer password for, say Gmail without a password manager. Do you have an eidetic memory that you can make unlimited passwords of this length without every forgetting a single one or do you use just a few simple passwords with a couple slight variations? if you use no password manager than you're using the latter… which is fucking stupid.
You don't even need to use a digital password manager. You can keep it written down in a notebook, if you wish, even with some minor encryption so it's not completely plaint text. This works because the person who breaks into your home to steal your valuables isn't likely going to be wanting to steal your online logins.
But I'm pretty sure you're referring only to apps like 1Password that save only a local vault, which is it's own encrypted vault, which should also be protected by having File Vault to encrypt your entire disc, and soon even more low-level encryption with APFS. None of these things are the first place a hacker would attack. The first thing they're think about is getting access to a machine, and usually not some nobody, but server farms, which means you don't have to keep a single fucking piece of data on those servers.
The 1Password app makes this easy by allowing you to directly transfer your vault to other devices locally through an ad-hoc network, instead of through a file sharing service. How how exactly would this be the first place a hacker would attack if there are so many other security checkpoints in the way before you even get to your 1Password vault? Why not go after ones iCloud account, which has access to an excessive number of actual activities performed by users, but also a prerequisite to even see your 1Password vault synced via iCloud, if you choose to go that route?
You make the assumption that a hacker is trying to directly attack you as an individual.
-- That's also why I don't use a password service: To me it seems like the first place a hacker would attack.
To put it bluntly, that's fucking stupid.
How the fuck are you going to have a complex, random, 60-characer password for, say Gmail without a password manager. Do you have an eidetic memory that you can make unlimited passwords of this length without every forgetting a single one or do you use just a few simple passwords with a couple slight variations? if you use no password manager than you're using the latter… which is fucking stupid.
You don't even need to use a digital password manager. You can keep it written down in a notebook, if you wish, even with some minor encryption so it's not completely plaint text. This works because the person who breaks into your home to steal your valuables isn't likely going to be wanting to steal your online logins.
But I'm pretty sure you're referring only to apps like 1Password that save only a local vault, which is it's own encrypted vault, which should also be protected by having File Vault to encrypt your entire disc, and soon even more low-level encryption with APFS. None of these things are the first place a hacker would attack. The first thing they're think about is getting access to a machine, and usually not some nobody, but server farms, which means you don't have to keep a single fucking piece of data on those servers.
The 1Password app makes this easy by allowing you to directly transfer your vault to other devices locally through an ad-hoc network, instead of through a file sharing service. How how exactly would this be the first place a hacker would attack if there are so many other security checkpoints in the way before you even get to your 1Password vault? Why not go after ones iCloud account, which has access to an excessive number of actual activities performed by users, but also a prerequisite to even see your 1Password vault synced via iCloud, if you choose to go that route?
You make the assumption that a hacker is trying to directly attack you as an individual.
Um… no.
Um...yes.
"The first thing they're think about is getting access to a machine, and usually not some nobody, but server farms, ... How how exactly would this be the first place a hacker would attack if there are so many other security checkpoints in the way before you even get to your 1Password vault? Why not go after ones iCloud account, which has access to an excessive number of actual activities performed by users, but also a prerequisite to even see your 1Password vault synced via iCloud, if you choose to go that route?"
Attacking hardened servers requires more skill and is much harder than getting a prebuilt exploit kit for a few thousand bucks and releasing it into the wild with your payload. A keylogger root kit (which you can also buy) and a simple search for high value files like password vaults (which any script kiddie can manage) easily negates any purported advantage of keeping only local vaults.
Another scenario where LastPass + 2FA is superior to 1Pass local vaults is where you are allowed to use your work laptop for personal use and you use 1Pass local vault. It's not your machine and in most jurisdictions they are allowed to monitor everything you do and backup everything on that machine. Meaning any of the admins would have full access to your vault just by looking at your key logs and grabbing the backup.
On LastPass they would still need your 2FA Authenticator even if they have your master password if you only use the website and not the browser extension that's does a local cache.
The whole local is more secure than remote argument ignores the reality of how most folks will get hit.
If Apple will step up the features on Keychain, including iCloud Keychain then people might not need 1Password at all. ... Companies need to get off this concept of sucking on our wallets like money vampires. I'm getting really tired of it and if they continue...
There are massive feature gaps between iCloud Keychain and my password manager. But, aside from that... you'd trust a company with Apple's cloud history to store and manage your most crucial data? What about backup and archival, for a start? This is the kind of thing you want to use the best experts and services for... not an after-thought.
But, you might be in for a low-tech future then, as subscription models seem to be the future of software. I'm OK with that.... IF it isn't a move to drastically increase the overall cost. In other words, I totally get that it's better for the developers to have $5/mo instead say $50 outright purchase every year or so. But, the problem is some companies went from like $50 every year or so to like $15/mo or stuff like that. (I'm not sure how 1Password pricing falls in that regard.)
That said, the other trend is that compatibility seems to drop off more quickly too, so that you maybe used to buy and app and wouldn't *need* to upgrade for years if you didn't care about certain new features. Now, you often have to upgrade yearly anyway or not update the rest of your system. If you have to re-buy every year anyway, why not just subscribe?
nht said: Folks that believe "its local and thus more secure" is engaging in wishful thinking especially if they use iCloud or Dropbox as the integration path.
... For me, LastPass is good enough and I even pay them their sub of $12 a year. That's still cheaper than 1Pass.
Well, yea, if you store it in the cloud, then it's not local anymore. If it's local only, it's not wishful thinking that it's more secure. But, here's the thing... unless the sync and transport and cloud mechanisms are really secure and really well thought through, my PasswordWallet file stored on Dropbox *IS* more secure, as I'm just storing a data file in an already encrypted storage area. Not quite as good as local only, but better than a target *system* of password storage and transfer.
And again, that's assuming the cloud-password-manager is well designed (as I think 1Password is). Many aren't. Hasn't LastPass been hacked a couple of times already?
rob55 said: As for the question of it being ok to sync with iCloud, but not via 1Password servers, I think the reasoning may be something along the lines of the following:
Presumably, Apple is much more hardened against attack than Agile Bits.
I would absolutely, positively NOT be presuming that! Apple appears to be pretty good, in theory if they are telling the truth, about privacy. Security is a different thing.
prairiewalker said: Having the cloud storage allows having shared vaults with others if desired. We use this feature to give our estate trustees access to important information.
Yes, this is a huge advantage of 1Password. While it can be done without the cloud, it takes a considerable amount of discipline and planning.
Soli said: Just to be clear, they charge $2.99 for a monthly fee, which comes out to $35.88 per annum. ... Personally, I feel I've been underpaying for 1Password for all the years I've been buying their products and using it every single day to help me stay secure. If something better comes along I'll surely consider moving to it, but it will be based on features and ease of use, not cost.
No doubt! While people put this into the 'utility' class of apps (and then, I guess, think it should only cost $29.95?), it's (a password manager) one of the most important pieces of software on my machine, and one of the first I install. This is NOT the place to go cheap!
That said, PasswordWallet by Selznick is like $20, and I can't really recall upgrading more than 3 times over the past couple decades (at a reduced rate, none the less). Like you, it's probably the software I feel I've paid far to little for. I'm not sure about better, but it does have a couple features I use constantly, which have kept me from switching to 1Password (such as an auto-type feature that types into pretty much any app or field, including Terminal).
capserghst42 said: The monthly fee model is only there to secure a steady income, there is no other reason.
Even if that were the case, wouldn't that still be a good thing? I want my vendors to be financially stable. It doesn't look like the overall cost, in this case, went up dramatically.
nht said: Want to bet it's easier to break into your box than their servers? The big breakins to corporate servers make headlines but given the number of compromised windows boxes I'd say that local storage is equally vulnerable if not more so.
Heh, I might take you up on that bet. But, I get your point. We tech-oriented folks might keep our data safer and better backed up/archived locally, but that's not necessarily the case for the average user out there.
nht said: Want to bet it's easier to break into your box than their servers? The big breakins to corporate servers make headlines but given the number of compromised windows boxes I'd say that local storage is equally vulnerable if not more so.
Heh, I might take you up on that bet. But, I get your point. We tech-oriented folks might keep our data safer and better backed up/archived locally, but that's not necessarily the case for the average user out there.
The argument presented is that it is safer to store your money at home than at the bank because if you hit a bank you can get lots of money while nobody will target your home since you are a nobody.
That ignores that there are many more thieves with the ability to pop a window with a crowbar vs break into a bank and that burglaries target easy marks.
You may think your home is secure with your alarm, deadbolt and cameras but it isn't. One of the common things now is to simply pop a window, grab the alarm and put it in the freezer and ignore cameras because the thieves are from out of town and have no local ties. They grab cash and gold jewelry that can be melted and ignore traceable stuff. 10 mins in and out.
The cyber equivalent is a $3K exploit kit with keylogger and some burner servers. In a couple months you've got your own little trove of exploitable web cameras for perv sales/blackmail, targets for ransomware and busted password vaults to resell to someone that can vacuum bank accounts and do ID theft.
Yes LastPass had lost account info and password reminders but claim they didn't lose any vaults to hacking. Believe what you will on that but it's harder to break in there and with thousands of accounts to exploit you likely have more time to resecure accounts than from an individual hack if LastPass informs customers quickly. Especially if you've been ransomwared as part of the bargain...
Convience trumps security every time so it's real unlikely you're keeping as good security practice as you think you are on your local box.
1Pass should have implemented 2FA. They easily could have for an extra layer of security but couldn't be bothered to.
nht said: Another scenario where LastPass + 2FA is superior to 1Pass local vaults is where you are allowed to use your work laptop for personal use and you use 1Pass local vault. It's not your machine and in most jurisdictions they are allowed to monitor everything you do and backup everything on that machine. Meaning any of the admins would have full access to your vault just by looking at your key logs and grabbing the backup.
Good point. In this case, I wouldn't have anything personal on there anyway, including my personal 1Password 'vault.' I'd keep that on my home machine and iDevices (that were mine) and use a separate 1Password account or other app to manage my work passwords. Too many years in IT I guess... but I either control my work machine, or it becomes ONLY a work machine. Don't cross the streams.
The argument presented is that it is safer to store your money at home than at the bank because if you hit a bank you can get lots of money while nobody will target your home since you are a nobody. ... The cyber equivalent is a $3K exploit kit with keylogger and some burner servers. In a couple months you've got your own little trove of exploitable web cameras for perv sales/blackmail, targets for ransomware and busted password vaults to resell to someone that can vacuum bank accounts and do ID theft. ... Yes LastPass had lost account info and password reminders but claim they didn't lose any vaults to hacking.
--------- sorry, the quote ends here... the editor won't keep the HTML ---------
I guess that depends on whether the security and risk of being caught differences between company and home really hold true to the analogy. Plus, if it's in regard to me, I'm more skilled than the average home user at keeping my data safe, so that ups my chances on the local side.
But, I suppose I agree that at least in theory, a cloud service could be as secure or even more secure for the average user. The problem is that I'd never trusts a service to take care of my password vault, so I'd only use services that allowed me to backup/archive. And, then, I'd be in the same boat if a hacker were able to keylog my master password and get ahold of the data file.
That's good if no vaults got hacked. I didn't follow the story too closely, as I don't use it. I guess my point is that just like we home users, companies make mistakes or have holes in their armor... they are just far more likely to be directly targeted. (Which is a bit back to the original point/analogy.)
... to be the future of software. I'm OK with that.... IF it isn't a move to drastically increase the overall cost. In other words, I totally get that it's better for the developers to have $5/mo instead say $50 outright purchase every year or so. But, the problem is some companies went from like $50 every year or so to like $15/mo or stuff like that. (I'm not sure how 1Password pricing falls in that regard.)
That's where I'm on the fence about the while subscription deal. I certainly get that software isn't like a physical product, where you might have a few product being sold every day (TVs, cars, ...) to keep your company afloat. Software is expected to create new versions and new features while income is trickling in, hoping the next version will bring a waterfall of cash in, which will keep them afloat until the next release, and so forth.
But as more and more products move to this, I'm going to "for a few bucks a month" myself into the poor house as "Just $5 a month" and "for only $10 a month" slowly eats away all my disposable income.
Value is another interesting argument. I do subscribe to lightroom/photoshop, as I use them constantly, they provide frequent 'new' features on a regular basis - I value that. (Plus they were expensive stand-alone products to begin with). On the other hand I'll never subscribe to MS Office - Word and XL are nice, but they're bug filled, I don't use them daily, and why pay $10/month for something that normally costs $100 every 3-4 years.
So how do I personally value 1PW? I certainly use it daily. As a society we're being passworded daily - I have over 700 entries in my database (ugh). But cloud aside, it would be a tough decision for me to subscribe, as I can't imagine a ton of new features ever being added to 1PW, and I already store in the cloud (dropbox). Is there value in helping keep a company afloat just so their product stays maintained? All interesting questions.... And I decision I'll have to make come the day they stop updating the stand-along app and make we legacy people subscribe or hit the road....
Comments
How the fuck are you going to have a complex, random, 60-characer password for, say Gmail without a password manager. Do you have an eidetic memory that you can make unlimited passwords of this length without every forgetting a single one or do you use just a few simple passwords with a couple slight variations? if you use no password manager than you're using the latter… which is fucking stupid.
You don't even need to use a digital password manager. You can keep it written down in a notebook, if you wish, even with some minor encryption so it's not completely plaint text. This works because the person who breaks into your home to steal your valuables isn't likely going to be wanting to steal your online logins.
But I'm pretty sure you're referring only to apps like 1Password that save only a local vault, which is it's own encrypted vault, which should also be protected by having File Vault to encrypt your entire disc, and soon even more low-level encryption with APFS. None of these things are the first place a hacker would attack. The first thing they're think about is getting access to a machine, and usually not some nobody, but server farms, which means you don't have to keep a single fucking piece of data on those servers.
The 1Password app makes this easy by allowing you to directly transfer your vault to other devices locally through an ad-hoc network, instead of through a file sharing service.
The vault file format isn't hidden and there are cmd line apps that provide access if you have the master password.
Lastpass also has a command line capability but with 2FA at least it doesn't let you sync the vault from the server. That's not as helpful since typically you have it cached locally anyway.
but you can clear the cache after encrypting a backup and remove this vulnerablity.
Whats easier? Breaking into the average windows box, installing a keylogger and grabbing any 1Pass/LastPass vaults it finds or breaking into 1Pass or LastPass servers?
So the whole "local is safer" thing is like installing a high grade deadbolt on a flimsy door.
If someone can ransomeware your box they could also easily steal your password vault and master password.
There has been no 'insistence' to move to 1Password.com from using Dropbox or iCloud or WiFi to sync iPhone & Mac. I found 1Password.com benefits to be compelling with no compromise of security.
I to my horror read an article where they more or less back down on what I was told ... well time to look for a different product as I do not want to pay a monthly fee to use a product I paid for (I also would like to see Adobe beep beep beep).
The monthly fee model is only there to secure a steady income, there is no other reason.
Keychain cannot replace 1Password as it does not have any browser plugin (except for Safari which plugs into OSX/IOS) , and it's only on work on Apple products.
Also I am not 100% sure that Apple is much better than 1password to protect our data.
Only reason to use it would be that it's free, but then there are probably other options.
Bill
Unfortunately, in our quarter-to-quarter based economy, it's not all that uncommon. It just isn't usually all or nothing of one or the other.
Yep, when I looked at 1Password's page or white-paper on it, it looked like a pretty good implementation. And, yes, if you use anything but local, you're somewhat less secure no matter what service it is. If you store an encrypted file on Dropbox, there are a few layers of security there too. Both are relatively safe, just not as safe as not on the cloud at all.
To each their own... but I'd NOT be trusting my whole bank of passwords to Apple's cloud!!!
"The first thing they're think about is getting access to a machine, and usually not some nobody, but server farms,
...
How how exactly would this be the first place a hacker would attack if there are so many other security checkpoints in the way before you even get to your 1Password vault? Why not go after ones iCloud account, which has access to an excessive number of actual activities performed by users, but also a prerequisite to even see your 1Password vault synced via iCloud, if you choose to go that route?"
Attacking hardened servers requires more skill and is much harder than getting a prebuilt exploit kit for a few thousand bucks and releasing it into the wild with your payload. A keylogger root kit (which you can also buy) and a simple search for high value files like password vaults (which any script kiddie can manage) easily negates any purported advantage of keeping only local vaults.
Another scenario where LastPass + 2FA is superior to 1Pass local vaults is where you are allowed to use your work laptop for personal use and you use 1Pass local vault. It's not your machine and in most jurisdictions they are allowed to monitor everything you do and backup everything on that machine. Meaning any of the admins would have full access to your vault just by looking at your key logs and grabbing the backup.
On LastPass they would still need your 2FA Authenticator even if they have your master password if you only use the website and not the browser extension that's does a local cache.
The whole local is more secure than remote argument ignores the reality of how most folks will get hit.
But, you might be in for a low-tech future then, as subscription models seem to be the future of software. I'm OK with that.... IF it isn't a move to drastically increase the overall cost. In other words, I totally get that it's better for the developers to have $5/mo instead say $50 outright purchase every year or so. But, the problem is some companies went from like $50 every year or so to like $15/mo or stuff like that. (I'm not sure how 1Password pricing falls in that regard.)
That said, the other trend is that compatibility seems to drop off more quickly too, so that you maybe used to buy and app and wouldn't *need* to upgrade for years if you didn't care about certain new features. Now, you often have to upgrade yearly anyway or not update the rest of your system. If you have to re-buy every year anyway, why not just subscribe?
Well, yea, if you store it in the cloud, then it's not local anymore.
And again, that's assuming the cloud-password-manager is well designed (as I think 1Password is). Many aren't. Hasn't LastPass been hacked a couple of times already?
I would absolutely, positively NOT be presuming that!
Apple appears to be pretty good, in theory if they are telling the truth, about privacy. Security is a different thing.
Yes, this is a huge advantage of 1Password. While it can be done without the cloud, it takes a considerable amount of discipline and planning.
That said, PasswordWallet by Selznick is like $20, and I can't really recall upgrading more than 3 times over the past couple decades (at a reduced rate, none the less). Like you, it's probably the software I feel I've paid far to little for. I'm not sure about better, but it does have a couple features I use constantly, which have kept me from switching to 1Password (such as an auto-type feature that types into pretty much any app or field, including Terminal).
Even if that were the case, wouldn't that still be a good thing? I want my vendors to be financially stable. It doesn't look like the overall cost, in this case, went up dramatically.
Heh, I might take you up on that bet.
That ignores that there are many more thieves with the ability to pop a window with a crowbar vs break into a bank and that burglaries target easy marks.
You may think your home is secure with your alarm, deadbolt and cameras but it isn't. One of the common things now is to simply pop a window, grab the alarm and put it in the freezer and ignore cameras because the thieves are from out of town and have no local ties. They grab cash and gold jewelry that can be melted and ignore traceable stuff. 10 mins in and out.
The cyber equivalent is a $3K exploit kit with keylogger and some burner servers. In a couple months you've got your own little trove of exploitable web cameras for perv sales/blackmail, targets for ransomware and busted password vaults to resell to someone that can vacuum bank accounts and do ID theft.
Yes LastPass had lost account info and password reminders but claim they didn't lose any vaults to hacking. Believe what you will on that but it's harder to break in there and with thousands of accounts to exploit you likely have more time to resecure accounts than from an individual hack if LastPass informs customers quickly. Especially if you've been ransomwared as part of the bargain...
Convience trumps security every time so it's real unlikely you're keeping as good security practice as you think you are on your local box.
1Pass should have implemented 2FA. They easily could have for an extra layer of security but couldn't be bothered to.
nht said:
The argument presented is that it is safer to store your money at home than at the bank because if you hit a bank you can get lots of money while nobody will target your home since you are a nobody.
...
The cyber equivalent is a $3K exploit kit with keylogger and some burner servers. In a couple months you've got your own little trove of exploitable web cameras for perv sales/blackmail, targets for ransomware and busted password vaults to resell to someone that can vacuum bank accounts and do ID theft.
...
Yes LastPass had lost account info and password reminders but claim they didn't lose any vaults to hacking.
--------- sorry, the quote ends here... the editor won't keep the HTML ---------
I guess that depends on whether the security and risk of being caught differences between company and home really hold true to the analogy. Plus, if it's in regard to me, I'm more skilled than the average home user at keeping my data safe, so that ups my chances on the local side.
But, I suppose I agree that at least in theory, a cloud service could be as secure or even more secure for the average user. The problem is that I'd never trusts a service to take care of my password vault, so I'd only use services that allowed me to backup/archive. And, then, I'd be in the same boat if a hacker were able to keylog my master password and get ahold of the data file.
That's good if no vaults got hacked. I didn't follow the story too closely, as I don't use it. I guess my point is that just like we home users, companies make mistakes or have holes in their armor... they are just far more likely to be directly targeted. (Which is a bit back to the original point/analogy.)
That's where I'm on the fence about the while subscription deal. I certainly get that software isn't like a physical product, where you might have a few product being sold every day (TVs, cars, ...) to keep your company afloat. Software is expected to create new versions and new features while income is trickling in, hoping the next version will bring a waterfall of cash in, which will keep them afloat until the next release, and so forth.
But as more and more products move to this, I'm going to "for a few bucks a month" myself into the poor house as "Just $5 a month" and "for only $10 a month" slowly eats away all my disposable income.
Value is another interesting argument. I do subscribe to lightroom/photoshop, as I use them constantly, they provide frequent 'new' features on a regular basis - I value that. (Plus they were expensive stand-alone products to begin with). On the other hand I'll never subscribe to MS Office - Word and XL are nice, but they're bug filled, I don't use them daily, and why pay $10/month for something that normally costs $100 every 3-4 years.
So how do I personally value 1PW? I certainly use it daily. As a society we're being passworded daily - I have over 700 entries in my database (ugh). But cloud aside, it would be a tough decision for me to subscribe, as I can't imagine a ton of new features ever being added to 1PW, and I already store in the cloud (dropbox). Is there value in helping keep a company afloat just so their product stays maintained? All interesting questions.... And I decision I'll have to make come the day they stop updating the stand-along app and make we legacy people subscribe or hit the road....