I’ve had my subscription payment lapse for almost a month due to budget. My account is marked inactive but I was still able to use 1Password but I have to manually copy/paste my password. The only thing that was locked out was the ability to create new password and entries.
1 Like
That could very well be the case. Came by this tweet by @Gruber this morning:
Interesting thread.
I assume that Electron apps by the virtue of their design do not have the same system protection features on Mac as native Mac apps. Has anyone seen research on that? Found this old article of 2019:
and another one:
I know these resources are older, but would love to see if a more recent security assessment has been done and whether flaws exist, especially if sideloaded and bypassing the AppStore review process.
4 Likes
The thing with Electron is that Electron can be a lot of things - and the combination with Rust seems to enable a lot of things. When I first saw the 1PW8 screenshots, my reaction was: it looks awesome. I never thought about it being an Electron app.
I honestly do not see Apple being able to reject Electron apps in the long run. There is already a lot going on regarding anticompetitive regulations, investigations and so on… “My way or the high way” will be quite tough to enforce given recent signals in Europe and in the U.S.
Regarding Gruber’s retweet: It remains to be seen if this will be the death of a good product. As of now, I do not see that coming. Especially with password apps, I do not see them succeeding without “embracing” corporate customers. The “normal” user will be fine with OS-integrated solutions in the near future.
I prefer native apps and I “dislike” Electron, too. BUT if I like it or not: I totally get that an app with the intended availability on multiple platforms -especially with a web backend- will eventually be built with a language or a framework that is available on multiple platforms.
Apple’s intention is that this platform is Swift. I have not stumbled upon a single app on Windows that is written with Swift. There might be some?!
A huge number of developers seems to think that Electron could be the answer when I see how many apps are out there using Electron or switching to Electron. And apparently well done Electron apps can be “good” enough, can be “native” and can work with Windows features on Windows (and with a Windows UI) and with Mac features on a Mac (and the Mac UI).
I would love to see an MPU episode about this topic (@ismh and @MacSparky):
-
What do developers think about the future of multi platform apps?
-
Is Swift an option for that use case?
-
Why are so many developers sticking with or even migrating to Electron?
-
Is Electron an option in combination with Rust? Are there limitations on the Mac?
The topic might be interesting for a developers’ roundtable (maybe as one of several topics).
8 Likes
I’m not familiar with Electron’s private API usage today, so I don’t know if 1Password will have to leave the Mac App Store.
That injection exploit isn’t a problem:
- Notarizing protects against modifying the app itself (protecting the ASAR file mentioned in the article)—this was confirmed when that article was published.
- 1Password uses additional hardening (and made the library open source)
I believe this is the YouTube video that was mentioned, it has some good information: (incase you have a URL cleaner, the 1P part starts at 1:25:55)
3 Likes
I can report a fairly seamless change from 1Password to BitWarden over the past 24 hours. If you import your 1Password vault(s) you do need to be prepared to go through the entries checking (in particular) custom fields because those in BitWarden pick some odds and ends which you’ll probably wish to delete.
I was so impressed by BitWarden that, for once, I did upgrade to a “families” plan ($40 per year if paid in advance). It’s much cheaper than 1Password and BitWarden actually has some things that are better than in 1Password (for example, the ability to have a contact with emergency access).
There are a few things which are not quite so good (I suspect I can’t have a separate vault—as opposed to “collection”—for archived logins, etc., for example) but, on the whole, BitWarden works extremely well (and sometimes autofills better than 1Password). I was very impressed that when I started the “families” plan TOTP started working immediately with my old logins (so the relevant information had been imported from 1Password). (You need to have a premium subscription of some sort to be able to use the BitWarden authenticator.)
All in all, a good and encouraging experience and I’d urge others inclined to make a switch at least to investigate BitWarden.
Stephen
9 Likes
I’ve successfully migrated to KeePass, as I am unwilling to trust any proprietary solutions anymore. I think an open standard is the best option for longevity.
I’m currently using KeePassXC on desktop with Firefox plugin. On iOS I’m using Strongbox. The initial import from 1Password is pretty easy. Although some clean up is needed afterwards.
5 Likes
+1 on a MPU episode.
Some good observations. I understand the business rationale of multi platform and scale etc, but the eco systems have been build differently for many reasons and anything generic will in the end be a compromise. I for one would like to understand that compromise and the marketing stuff is not convincing me.
I don’t need a uniform experience across platform. BMW and Tesla are very different cars and both get you from A to B, albeit with a different experience.
I want - especially on security related matters - the best platform integration and protection possible using the best each platform has to offer (encryption, secure enclaves, immutable code etc). MacOS, Linux and Windows are very different beasts re. security. Maybe it is time to embrace more the baked-in solutions and live with the drawbacks.
Following this thread and look forward to see what people end up doing. In the meantime I am dusting off my Yubikeys to see if I can make that experience work better.
6 Likes
When I search for “popular password managers” 1Password, LastPass, Dashlane, and Keeper are normally at or near the top of each list. But three of these services are browser extensions, only 1PW offers an on-device app.
Regardless of what we think of Electron the success of online only password managers, note taking apps, etc. shows that many people don’t care about native apps. They just want solutions and select the products that work for them.
I agree. Companies with corporate customers won’t be hurt by improving OS-integrated solutions to the extent of smaller companies and solo developers.
1 Like
To be honest, most of these recommendations look like sponsored contents to me. These services generate the most revenues hence are able to purchase aggressive ads. There are definitely smaller “artisan” password managers, like Secrets, Strongbox. But we need to dig deeper for them.
4 Likes
But we don’t like 1Password anymore because non-native app, no local-only data vaults, and available only by subscription. And BitWarden seems very similar to me on these points. So why change? I’m looking at something like Strongbox as a simpler app that “fixes” 1Password’s recent transgressions.
1 Like
Yes, and those revenues make them more likely to succeed. Having the best technology doesn’t guarantee success. For example, ChromeOS is now more popular than macOS.
Yes, "There are definitely smaller “artisan” password managers, like Secrets, Strongbox.” But will enough people seek these out to insure their success, especially when free built-in password managers continue to improve?
1 Like
Could you post details of how you managed the migration and any issues or suggestions you might have? Also info on the device app solutions that access the KeePass data.
3 Likes
My plan is to stick with 1Password7 for as long as possible.
1 Like
I initially used KeePass on Windows with a plug-in called OneVault to import the 1Password vaults in OPVault format. The import is almost perfect. There were some deleted and empty items appearing but it only took me a few minutes to clean them up.
It’s slightly difficult to run KeePass on MacOS and it doesn’t have browser extensions. So I installed KeePassXC instead, which has browser extensions. It can import 1Password vaults natively without any plug-ins. But I didn’t try the import as I already did the work with KeePass. It’s not as polished as 1Password as most FOSS software tends to be. But it’s functional and won’t screw us over for business decisions.
The KeePass database is a single .kdbx file that I put in Dropbox to sync. It’s an open standard audited by the European Commission’s Free and Open Source Software Auditing (EU-FOSSA 1) project. There’re many supporting third-party applications listed here. I’m using Strongbox on iOS, which has a lot of advanced functionalities. There’s also a more simplistic client on iOS called KeePassium.
2 Likes
I was not concerned about 1Password 8 being non-native, although I know others are. I was a little concerned about non-local vaults and did not like the idea of a subscription. Nevertheless, on investigating BitWarden in some depth I did like what I found (the fact that it’s open source, has comprehensive on-line help and good support forums) sufficiently to go with it. I found the subscription options very reasonable (unlike 1Password—which became very expensive if you wanted to share only with one other, as opposed to an entire family).
All I wanted was a reasonably comprehensive password manager produced by an outfit I felt I could trust (just as, many years, ago I once trusted AgileBits <sigh>)—and preferably an app which would import reasonably well from 1Password.
I know there are other apps that suit others better—for various reasons. That, however, was my reasoning and personal preference. It’s a bonus that, quite often, BitWarden with its browser extensions autofills really rather well—and, on occasion, rather better than 1Password 7 did.
Stephen
1 Like
I disagree. It doesn’t recognise those who work cross platform, or those who don’t wish a 3rd party retaining a copy of their passwords. I suspect it’s to reduce costs, unfortunately it will also impact the quality for some people. So the question is, will the cost cutting outweigh the lost revenue.
I’m so sad that 1Password took outside funding, it’s always been a Triple A product for a reasonable cost. Unfortunately I feel that they’re about to shoot themselves in the foot.
3 Likes
A big problem with Electron is that apps created with it are basically web browsers without sandboxes. A web browser is mostly just a means by which you download code from servers and execute it locally. That code is designed so that adding more of it from other locations at runtime is easy. A huge amount of the effort that goes into browser development is to keep that (really, really scary sounding (and rightfully so)) activity from being able to escape the browser. Electron apps have native app access to your computer.
This is also why browser bugs should scare the heck out of you, why updates as soon as they’re made available are incredibly important, and why Google goes to extraordinary lengths to make it (nearly) impossible to avoid updating Chrome.
4 Likes
Secrets is also available through Setapp but the iOS version is not currently available through Setapp. So, I’d personally want to wait as a Setapp subscriber.
Well, I just switched to monthly billing to see how this goes. Electron apps are garbage. Every one that I find myself compelled to use never behaves as a good member of the app ecosystem on a Mac. I also no longer fully distrust Keychain. So, it might be time for me to move away from a 3rd party password manager, idk. When do we expect MacOS to update? Will it be as late as possible in fall, as is often the case?