Does anyone use 1Password?

I used Lastpass for years and dumped them when the LogMeIn thing happened. I switched to Bitwarden and was very happy when I learned that they became a TWiT sponsor.

But it looks like 1Password will be first out the door with Passkey support.

Which is making me give it another look now. Is anyone using 1Password family? How do you like it?

I’m not a fan of the price, $60/year for family. Bitwarden is significantly cheaper. And for the uber paranoid, BW has a self-hosted option.

But I don’t want to start creating passkeys and have them locked to a platform.

What sucks about all this, is that SQRL fixed all this already. And it’s been around for how long now?

Thank you FIDO Alliance for reinventing the wheel…

For the way things are handled, most folks don’t even know SQRL is a thing. Basically, only TWIT folk know of SQRL. For all we know, Passkey may have been in the works long before SQRL was created.

I switched to 1Password in 2020. I had been using LastPass for most of the decade before, picking it up out of the TWiT sponsorship & Steve’s analysis of the code in 2010. In 2020, it stopped working with Firefox on Android, so I started looking for an alternative.

I had just started listening to the 1Password podcast, which I had discovered by accident and I thorougly enjoyed listening to the team, and they did interviews each show with key personnel or industry experts. It was the personnel interviews which persuaded me to switch to 1Password, they were knowledgeable and they came across as people who cared about their product.

I’ve been very happy with it, it works very well and the money is worth it.

I’ve been using 1Password for several years now. I had a non-subscription license for the longest time, but eventually caved and went with the family plan for my partner and I.

I personally think it’s fantastic and worth the yearly sub. If you’re Mac or iOS-based, they write really great Apple software. I only have to remember my master password and it works flawlessly with both TouchID and FaceID. It works across all of our devices with no issues.

I guess the only downside might be is that your data is stored on their own cloud servers, so it’s possible they could get hacked at some point as well. I’ve seen that complaint pop up on other discussions. I think you can store your library locally if that’s an issue.

That is the problem with all password managers, either the data is held locally, so you have to find some way of keeping various devices in sync yourself, without using a cloud service, or you use the convenience of a cloud service to automatically sync the password database between devices.

As soon as you go for a convenient solution, you lose a point of security, but you gain flexibility and redundancy, without having to worry about it yourself.

If you have the data on the cloud, you are at risk if the cloud service gets hacked - whether that be a password manager cloud, or iCloud, OneDrive, GDrive, HyperDrive etc. If you have it local and your system is hacked, the encrypted blob is available to the hacker as well. If you are hit by crypto malware, your blob won’t be accessible, unless you made your own backup.

Likewise, if you use your own private cloud (a NAS with DynDNS or a server running NextCloud etc.), you have the same problems as the full cloud services, with the added point of you probably not being a full systems administrator, security expert and pen tester, so your system probably isn’t as well implemented and secured as a professional cloud service - especially if you don’t keep it updated.

You have to place your trust somewhere, and if you are using a PC, tablet and smartphone, a dedicated cloud service makes the most sense, as they should be professionals and they should know what they are doing… Even with the LastPass data leak, they only have the encrypted blob, the usernames and passwords should still be secure, the hackers will need to brute force each blob individually, as “everybody” has their own strong master password, so it will take millenia to break into each blob, using current brute force techniques and state of the art hardware.

Unless they strike lucky - they start on your blob and you used a weak password that is easily guessed - you will have several lifetimes in which to go around and change all your passwords.

I’ll phrase the following generically, as it is pertinent to every password manager, whether it is using the password manager’s own cloud, a cloud service like OneDrive etc. or is stored only on your local PC or your own private cloud.

Do you need to change your master password?
If it is strong, not really, it won’t change anything, as the hackers have your blob and changing your master password won’t affect the extracted blob. Only if they still have their fingers in the host system, where the live blob is stored, will they be able to check back in and see your changed passwords, once they have cracker your master password.

Do you need to change your individual site passwords?
This is probably a good idea, but triage your data and prioritise what needs changing - banking, social media and shopping sites need to be top of the list, as do Apple, Google, Microsoft etc. Forums or sites without financial data about you can be bumped down the list, they would be annoying if you lost control of them or somebody logged in as you and spammed them, but they aren’t priority number one.

Should you change the password manager you are using?
All of them are vulnerable to this sort of attack, so there is no guarantee. You could swap from your current PM to a new one, just as they get hacked… You could find yourself in an eternal hell of constantly swapping password managers. If they have done a good job securing your blob & you are generally happy with the service, there is no reason to jump on day 1. If they are getting regularly hit, then is a good time to move.

In the explicit case of LastPass, they were hit twice within a couple of months, the first time, they managed to get some source code and enough information to phish an employee to get access to encrypted cloud backups, including the encryption keys, which is how they managed to get the blobs. Two incidents within a couple of months says to me, that they dropped the ball on user training after the first attack.

Secondly, it transpires that important, but not critical security information, such as the URLs to the individual entries in the safe, were not encrypted, only usernames, passwords and secure notes. This makes the decryption on the client a little quicker, but given today’s hardware, I would have expected all information to have been encrypted.

I have used Dashlane for longer than I can recall. I chose it because David Pogue recommended it in his New York Times Personal Computing column, so that dates it. At one point I looked at 1password and LastPass (especially after Steve Gibson’s review) but could see no real benefit in switching. As big_D says (and Steve does not), you have to trust someone. So far Dashlane has been good enough. Also, the support staff respond reasonably quickly when I contact them.
I do take two precautions. First, I keep a personal record of all my ids and passwords so if Dashlane vanishes tomorrow I have lost nothing except convenience. Second, I do not use Dashlane for any of my financial services websites so if it is hacked I have some measure of protection.

I’ve been using Bitwarden for years now, and they claim they’re end-to-end encrypted. They’re also hosted on Azure, which adds a small level of trust beyond just a vendor self-hosting in their own data centers.

Bitwarden also has the option to host it yourself if you’re that paranoid.

Me, I went with a solution that some people consider pretty smart, and others consider to be stupid.

I created a strong and complicated diceware password that according to various internet sites will take thousands of years to crack. I then wrote that password down. I also stored that password in an Keepass vault that’s on my home Nextcloud server.

Then to make it easy on myself, I bought hardware programmable keyboards, programmed the password tot type when I hit a certain key combination, and removed the configuration software from my Mac.

This allows me to make a very long and complicated password, and makes it easy to enter. I’m obviously at risk if someone gets on my Mac, figures out I have a hardware programmable keyboard, and find a way to dump the EEPROM and rifle through it, or remotely install the software to program the hardware and then launch it.

You have to draw the line somewhere. For ultimate password security, you’d need to keep is in a notebook out of view of any webcams near your computer.

The only thing keeping me from using Dashlane is the price and (at the time) the lack of Linux support.

Or you know, press the sequence to make it type the password into a “notepad” program.

Azure is only as secure as your Azure expert, in-house. A lot of default settings for Azure (and Google Cloud & AWS etc.) is to have little or no security, you have to beef it up yourself, and on Azure, it is a Linux or Windows Server machine that needs to be properly configured to be safe.

I assume that BitWarden & 1Password have OS and security experts setting up their infrastructure, but whether it is on Azure/AWS etc. or in a datacentre, it doesn’t make much difference, other than possible redundancy, if they have mirrors in several regions.

How would they know that?

Is someone going to hack my PC and just randomly type keyboard combinations until they see a password pop up?

If I set my password keyboard combination to be left shift+right ctrl+left win+scroll lock, I think I I’m pretty safe.

Security by obscurity can be effective, especially if you have a keyboard with a non-standard key such as an IBM M-122 or an old Apple keyboard with a power button. A remote attacker probably couldn’t even remotely push those extra keys.

Those are non-characters, so can’t be used in a password, they are just used to tell the keyboard to pump out the stored string of characters. Anything that the keyboard then transmits to the Mac can be intercepted, either by an evil maid attack (placing a dongle between the keyboard and PC, installing a key logger etc.) or through external malware from an infected website, phishing email etc. (key logger) - or they can simply steal your keyboard .

They don’t need to press any keys, they just need to wait for you to press them, then read what the keyboard sends to the PC.

Then it doesn’t matter if my password is stored in my keyboard or not. Nothing is immune to a keylogger.

But I’m trying to keep my Bitwarden vault secure from online attack. I think a string password in my keyboard + a Yubikey are going to be pretty secure.

If you have physical access to my computer, that’s a whole different scenario. The evil maid could also steal the notebook I have my password written down in.

Correct, password managers are a compromise between security and convenience. At the end of the day, you have to make it as secure as you can, but still usable. 2FA with a Yubikey is a great way to improve security, as opposed to an authenticator app - if you are using the password safe on the same device as the authenticator app, you don’t have MFA.

if you are using the password safe on the same device as the authenticator app, you don’t have MFA.

I disagree with that.

Go ahead and disagree, but you’re wrong. When it comes to password factors, only one affects the actual use of the password and that is the password itself. Any other factor is simply a gatekeeper to the use of the password, and that requires someone else (usually on the web) to block you from using your password until after you prove your 2nd/3rd factor(s). If you try to integrate an additional factor into a password, then it just becomes a different password, but it is still a first factor password.

Go ahead and disagree, but you’re wrong. When it comes to password factors, only one affects the actual use of the password and that is the password itself. Any other factor is simply a gatekeeper to the use of the password, and that requires someone else (usually on the web) to block you from using your password until after you prove your 2nd/3rd factor(s). If you try to integrate an additional factor into a password, then it just becomes a different password, but it is still a first factor password.

True. But just because you have your password manager on the same device as your 2FA app, that doesn’t automatically negate the effectiveness of the second factor.

I have Bitwarden on my Mac, iPhone and iPad. And I also have OTP Auth on my Mac, iPad and iPhone. That doesn’t negate the effectiveness of my second factor just because both apps are on the same device.

In a perfect world, I would store all my TOTP codes on my Yubikey, but I can’t, because it doesn’t have enough storage.

There is a difference between using 2FA for the sites INSIDE your password manager, and the 2FA option of the password manager itself. The goal would have been for the 2FA to prevent someone from getting the vault to start with. If you get someone’s password vault, encrypted, you don’t care if they had 2FA on the vault, you have it. It’s then just a matter of brute forcing to find the password they encrypted the vault with to break in.

Hadn’t thought about that angle. But I do have face recognition on iOS device enabled for both Bitwarden and Microsoft Authenticator. Also fingerprint reader for MacBook Air Does that qualify as MFA?

Also - change the password to your account recovery method such as any email addresses used.

What @big_D specifically wrote was:

if you are using the password safe on the same device as the authenticator app, you don’t have MFA.

This implies that you should have your password manager on your PC and never put your authenticator app on it. And if you have your authenticator app on your phone, then you should never install your password manager on your phone.

This is very unrealistic.

I used to print out my 2FA QR codes and stick them in a file cabinet in my house, and then put the TOTP codes into my Yubikey. I thought that was nice and secure.

The problem with that setup is that the Yubikey can’t handle enough 2FA codes for me. I enable 2FA anywhere I can. Right now I have 52 TOTP codes, far more than the Yubikey allows.

The Yubukey is also limited to only 25 Passkeys, which isn’t even close to enought.

I hope they release a Yubikey 6 soon that can handle a few hundred TOTP codes and a few hundred passkeys.

I like the Yubikey. But I really can’t use it where I want to use it the most. It’s disgusting that I am able to set the Yubikey as my only form of TOTP on Twitter, but my bank still texts me a PIN, and has no option for TOTP or a security key.