1Password migrants thread

[MacBH928]

Hi,

just found this thread, so sorry if this is already known here. I haven't read very much yet. And am not even sure what it is mainly about. 🙈

Its for people who want to abandon 1password and look for an alternative after 1password became a monthly subscription service.

The flaw is the use of the clipboard for inappropriate content. The clipboard is designed for easy communication between applications; it's been that way for decades.

It could be that a thread that accesses the clipboard has to satisfy certain conditions. Perhaps the thread has to be initiated by some user action. But, certainly it's not a physical action on the computer itself since a remote desktop session can use the clipboard. I really don't know anything about what protections there are around access to the clipboard. Perhaps someone on this thread knows.

The Clipboard Viewer application requires me to click somewhere before it displays the clipboard's contents. Based on that, we do know that any foreground application can probably access the clipboard without the user triggering an action that is explicitly represented as a clipboard copy.

Thats the question. Does it see anything in the clipboard, or does it require an action from me to make it see what is in the clipboard?

If its the first, I can imagine the horror of running Chrome browser and anything I copy to the clipboard will be read by Chrome and can be sent to the Google servers because I agreed to this in their multipage ToS.

Yes you keep saying that in different posts. Dont know why.

A cursory search "In 2020, 106 browser extensions were removed from the Chrome Web Store, being used to steal user data, take screen captures or even steal credit card information from web forms" Article here

well obviously if you are going to install malware its going to be a security threat, but what about using extension from trusted source like Bitwarden? I have not heard any one got hacked because of that.

 

[bsmr]

I think the best part would be to use something like built in Apples new passwords.app as it does have native support which should be the most secure.

 

[johannnn]

An extension, as useful as it may be to use, creates a possible vector usage due to leaks and information being sent (intentional or not) to the developer of the extension and other possible parties. There have been numerous examples of bad results in this light with third party extensions. And while I have not directly researched any problems related extensions in such a manner, I made a decision years ago not to introduce a third party swinging door into my usage.

I love this view, and I agree with it, I’m just wondering what you do with adblocking? Some websites are crazy at injecting Javascripts that decrease battery and look awful.

 

[bsmr]

@Apple_Robert What do you use as a password manager?

 

[Apple_Robert]

@Apple_Robert What do you use as a password manager?

I use Strongbox and I also have Keychain set up.

 

[bsmr]

I use Strongbox.

Thx for the feedback. Don't you have the issue, when you disable iCloud Keychain within Safari settings, that on websites where no credentials are stored, the little key close to formular fields does not work.
It seems to be stuck and only working on websites where you already have saved credentials.

 

[Apple_Robert]

Thx for the feedback. Don't you have the issue, when you disable iCloud Keychain within Safari settings, that on websites where no credentials are stored, the little key close to formular fields does not work.
It seems to be stuck and only working on websites where you already have saved credentials.

Are you talking about PassKey fill? I don’t have Keychain turned off.

 

[bsmr]

Are you talking about PassKey fill? I don’t have Keychain turned off

No. When a new website has no credentials it is not possible to create new ones when iCloud Keychain is turned off and you do use strongbox only. Seems to be an Apple bug.

Do you still use iCloud Keychain and strongbox? Or why do you leave it activated?

 

[Apple_Robert]

No. When a new website has no credentials it is not possible to create new ones when iCloud Keychain is turned off and you do use strongbox only. Seems to be an Apple bug.

Do you still use iCloud Keychain and strongbox? Or why do you leave it activated?

I don’t allow auto-fill with Strongbox but, I do allow use with Keychain.

 

[VineRider]

An extension, as useful as it may be to use, creates a possible vector usage due to leaks and information being sent (intentional or not) to the developer of the extension and other possible parties. There have been numerous examples of bad results in this light with third party extensions. And while I have not directly researched any problems related extensions in such a manner, I made a decision years ago not to introduce a third party swinging door into my usage.

Do you use an adblocker? If so, what one do you use that is not a browser extension?

 

[bsmr]

I don’t allow auto-fill with Strongbox but, I do allow use with Keychain

Why this way? Do you have all your passwords in both databases?

 

[lostPod]

Anyone found any other discounts for Enpass? That stacksocial links seems to have expired.

 

[Apple_Robert]

Why this way? Do you have all your passwords in both databases?

Both databases are the same. I do it that way with third party apps for security reasons. I admit that it is something others on here may not put up with but, I think it is safer.

 

[Apple_Robert]

Do you use an adblocker? If so, what one do you use that is not a browser extension?

NextDNS works well although it doesn’t get everything.

 

[MacBH928]

I love this view, and I agree with it, I’m just wondering what you do with adblocking? Some websites are crazy at injecting Javascripts that decrease battery and look awful.

Do you use an adblocker? If so, what one do you use that is not a browser extension?

You can setup your device (or router) to use adblocking DNS. Here are free ones:

CloudD
76.76.2.2
76.76.10.2

Adguard
94.140.14.14
94.140.15.15

You can also use subscription NextDNS , or build your own PiHole and set it up as you like. Please note that DNS blocking does not stop youtube ads. Only browser extension can do that.

Ublock Origin is FOSS and trusted by many but to each his own. Also Wipr for Safari if you do not enable the "Wipr Extra" (which blocks youtube ads) should be safe since Apple has built it in a way that the extension can not read your web browser.

You will need to do further research on that though.

Anyone found any other discounts for Enpass? That stacksocial links seems to have expired.

just search online for "Enpass discount" or something like that and pick a reputable site. Try this one with the lifetime option, don't pick the "plan option" beceause thats subscription.

https://www.colormango.com/company/enpass.html

 

[toasted ICT]

well obviously if you are going to install malware its going to be a security threat, but what about using extension from trusted source like Bitwarden? I have not heard any one got hacked because of that

It might be best not to underestimate the risk profile created by using browser extensions. Its not a matter of downloading malware. Even using extensions provided on reputable sites (such the official Chrome Store) that purport to be legitimate extensions for legitimate applications are a substantive risk:

More Than Half of Browser Extensions Pose Security Risks

Spin.AI's risk assessment of some 300,000 browser extensions found 51% had overly permissive access and could execute potentially malicious behaviors.

www.darkreading.com

There are password managers that do not use browser extensions and I decided to use one of those.

 

[bsmr]

There are password managers that do not use browser extensions and I decided to use one of those.

Which one do you use?

 

[Mr. Heckles]

It might be best not to underestimate the risk profile created by using browser extensions. Its not a matter of downloading malware. Even using extensions provided on reputable sites (such the official Chrome Store) that purport to be legitimate extensions for legitimate applications are a substantive risk:

More Than Half of Browser Extensions Pose Security Risks

Spin.AI's risk assessment of some 300,000 browser extensions found 51% had overly permissive access and could execute potentially malicious behaviors.

www.darkreading.com

There are password managers that do not use browser extensions and I decided to use one of those.

You can do this with most password managers

 

[svenmany]

It might be best not to underestimate the risk profile created by using browser extensions. Its not a matter of downloading malware. Even using extensions provided on reputable sites (such the official Chrome Store) that purport to be legitimate extensions for legitimate applications are a substantive risk:

More Than Half of Browser Extensions Pose Security Risks

Spin.AI's risk assessment of some 300,000 browser extensions found 51% had overly permissive access and could execute potentially malicious behaviors.

www.darkreading.com

There are password managers that do not use browser extensions and I decided to use one of those.

The more I read, the more I am likely to come to the same decision. I posted a question about the security of extensions on the 1Password forums, comparing their use to alternatives; no answer yet.

I did read this:

Security Now! Transcript of Episode #822

Search for "I've spent a lot of time trying to understand the attack surface of popular password managers" to get Tavis Ormandy's opinion on extensions. But the person quoting him, Steve Gibson, has less concern. Those are two people with real knowledge rather than people who've read internet articles that are often misleading or naive.

 

[svenmany]

If its the first, I can imagine the horror of running Chrome browser and anything I copy to the clipboard will be read by Chrome and can be sent to the Google servers because I agreed to this in their multipage ToS.

Remember that if you are running the Chrome browser and it's executing Javascript (which is almost always is), that code can read the clipboard.

Clipboard: read() method - Web APIs | MDN

The read() method of the Clipboard interface requests a copy of the clipboard's contents, fulfilling the returned Promise with the data.

developer.mozilla.org

and this:

Clipboard API and events

with an important "The action that triggers the event is triggered in an app with permissions to read the clipboard". Chrome has permission to read the clipboard and events are more than user interactions.

And, I just now notice this:

Clipboard API and events

which suggests that a malicious website can detect when something writes to the system clipboard (and the event fires when the browser gains focus). So applications don't have to be actively polling the clipboard to notice something new has been added there.

I haven't done any experiments to check all this, but it's clear that the clipboard is no place for sensitive information.

well obviously if you are going to install malware its going to be a security threat, but what about using extension from trusted source like Bitwarden? I have not heard any one got hacked because of that.

You have to trust an extension far more than a free-standing application.

• I don't think Apple's gatekeeper would block a malicious extension. Maybe it would if running in Safari.
• Apple's privacy controls limit what a desktop application can do and see. But, within a browser, an extension can see everything that's visible or typed in the browser window.

So, yeah, don't run malware. But, what if the software distribution channel is compromised and you get a hacked version of an extension. That could very well be the biggest risk when using software from a small player in the field, even if their security design is top notch. Tavis Ormandy mentions this risk in the what I linked in my previous post:

Security Now! Transcript of Episode #822

That same risk applies to desktop applications. Tavis believes the only safe place to store passwords is inside the native password managers of browsers. I guess he believes the distribution channels for major browsers are heavily guarded.

 

[toasted ICT]

Which one do you use?

Strongbox

iOS and macOS KeePass Password Manager | Strongbox

Strongbox is the world's leading password manager for iPhone and Mac. Built to utilise industry standard formats, it's ready to secure your data.

strongboxsafe.com

 

[bsmr]

Both databases are the same. I do it that way with third party apps for security reasons. I admit that it is something others on here may not put up with but, I think it is safer.

So Strongbox simply is a backup copy of your iCloud Keychain? Or do I get it wrong?

 

[MacBH928]

The more I read, the more I am likely to come to the same decision. I posted a question about the security of extensions on the 1Password forums, comparing their use to alternatives; no answer yet.

I did read this:

Security Now! Transcript of Episode #822

Search for "I've spent a lot of time trying to understand the attack surface of popular password managers" to get Tavis Ormandy's opinion on extensions. But the person quoting him, Steve Gibson, has less concern. Those are two people with real knowledge rather than people who've read internet articles that are often misleading or naive.

If you find anything definitive about extension risks please share. Everyone is using extensions no one is aware of the risks.

Remember that if you are running the Chrome browser and it's executing Javascript (which is almost always is), that code can read the clipboard.

Clipboard: read() method - Web APIs | MDN

The read() method of the Clipboard interface requests a copy of the clipboard's contents, fulfilling the returned Promise with the data.

developer.mozilla.org

and this:

Clipboard API and events

with an important "The action that triggers the event is triggered in an app with permissions to read the clipboard". Chrome has permission to read the clipboard and events are more than user interactions.

And, I just now notice this:

Clipboard API and events

which suggests that a malicious website can detect when something writes to the system clipboard (and the event fires when the browser gains focus). So applications don't have to be actively polling the clipboard to notice something new has been added there.

I haven't done any experiments to check all this, but it's clear that the clipboard is no place for sensitive information.

This is worrisome. I have many apps all open at the same time and who knows what is reading and sending back what.

That same risk applies to desktop applications. Tavis believes the only safe place to store passwords is inside the native password managers of browsers. I guess he believes the distribution channels for major browsers are heavily guarded.

Ironically, I thought thats the worse place to store passwords in. I mean, a dedicated password manager sounds like it will have much more security than a "save password" feature in a browser.

So Strongbox simply is a backup copy of your iCloud Keychain? Or do I get it wrong?

its an indepedent password manager

iOS and macOS KeePass Password Manager | Strongbox

Strongbox is the world's leading password manager for iPhone and Mac. Built to utilise industry standard formats, it's ready to secure your data.

strongboxsafe.com

 

[bsmr]

its an indepedent password manager

I know for sure. I was asking @Apple_Robert the way he is using Strongboxsafe parallel to iCloud Keychain and why he is doing it in this way.

 

[DCIFRTHS]

I have a feeling that Universal Autofill is the safest. I am forced to trust the 1Password program since I am giving it broader access to my system. But, I certainly do trust it; I wouldn't have put all my passwords into a program that I didn't trust.

Are you referring to the option that requires Accessibility Features to be enabled?

In the past, I have thought about using this but it gives a lot of control over the OS to the program you grant privileges to.

I’m at crossroad regarding what the least vulnerable option is.…

wondering if Apple would ever implement notifications when a program read or pasted from the clipboard like they did in iOS? It stopped a lot of programs from accessing the clipboard unless there was a valid reason. Come to think of it, has Apple deprecated that function?