When you get your first Apple silicon-based laptop Mac (M1 or whatever) and you start watching the energy and memory usage in Activity Monitor of various apps and how good ones contribute to excellent battery life, you may come to realize how a good native Mac app could stand head and shoulders above other ways of doing things.
6 Likes
Flagged? Lol.
Of course most people in this forum are not developers. This is a user forum. The name says it all.
Also, what tight budget? You mean a company with a 2 billion valuation has tight budget?
You can label the community whatever you want. But I’m guessing that word is exactly reserved to people like you.
5 Likes
I’m totally elitist, but more in that old-timey Unix user kind of way, so elitist, but also kind of shabby 
8 Likes
That was a good read!
You guys realize the 1Password Mac application isn’t actually running the entire time, right? The browser extension does the job of filling in passwords and creating new ones - you only need to open the app once in a while for certain tasks.
4 Likes
Here’s some additional info on 1PW if you are interested.
You realize that not everyone trusts browser extensions, right? I only use the app and have turned off the browser extension.
4 Likes
Then why would you trust the app? That’s completely arbitrary logic!
You don’t see that the security model is quite different for a browser extension than for a Mac app?
5 Likes
Yes, and they’re both completely insecure if you dont trust the developers.
This is the classic trade-off between security and convenience and you get to decide where you personally come down on that continuum. And so do I.
1 Like
I don’t agree with your trade-off, but fine.
My point is more that MOST PEOPLE should never use more than 30 minutes a month using the actual 1Password Electron app.
Because the Mac app is SO MUCH MORE INSECURE than the browser extension…
Only if you don’t want to use TouchID etc.
I’m not talking about logging in, im talking about bugs. If the browser extension is buggy it has a smaller attack surface. And touch id is a convenience feature – it doesnt add security compared to using the password.
1 Like
To use the browser extensions or not is a question that I’ve been considering for a longish time and I don’t think the answer is especially obvious on the Mac. It comes down to the question of whether it’s more likely that I have something malicious running on my system that has access to my clipboard (I don’t have any evidence to that effect, but I’m not naive enough to think that it’s impossible) or that a web page can trick a password manager’s browser extension into providing information that it should not provide (this has happened in the past).
When making recommendations to others this risk calculation is further complicated by the likelihood that the convenience of using extensions would increase the likelihood that a given user would continue to use the password manager vs just giving up on it and resorting to poor password management practices (like using the same or similar passwords everywhere).
Personally, I still copy/paste, but usually recommend to others that they use the extension, unless they’re someone who I feel is willing to make a risk based decision. I would be much happier if Apple were to introduce a little notification into macOS that tells me when an app has accessed the clipboard as they did in i(Pad)OS (and even happier if clipboard access could be restricted by app).
I don’t think anyone is wrong or right for using/not using the extensions, but I do think that people who deviate from the recommended path (to use the extensions) should do so only if they consider the risks of both options.
3 Likes
I agree! TouchID doesn’t replace the password and no cryptographic material is derived from its use. If it encourages the use of the password manager and if the convenience of it encourages the use of a stronger master password, then its use probably increases overall security.
1 Like
At work, we are in the app several times a day for information that wouldn’t autofill in a browser. (This is not commentary on anyone who does differently!) Each interaction with the app is brief, but it makes a difference to me and to my coworkers that they’re predictably pleasant. I also think that dysfunction in the desktop client’s development would spill into the browser integrations and other products. Everything AgileBits does needs to be pretty good or better if they’re to deliver a great product to any one platform consistently.
@WayneG that TechMeme interview was pretty candid (like so many AgileBits communications; it’s a good trait for a company’s employees to have.)
One interesting bit re: Electron is regarding their limited ability to deliver multiple codebases to high standards. Initially, their plan was to unify their codebase in the Apple ecosystem with Swift UI, instead of across desktops with a Mac-Win-Linux client. However, they couldn’t because they have too many customers who can’t upgrade macOS to the versions a good Swift UI implementation would have required. So they went with the approach we’ve been discussing and are doing standalone codebases for iOS/iPadOS, and Android.
Also appreciated the candid confirmation that shoring up the Windows client was important to them, as was meeting more business needs. I personally don’t think this means they are abandoning individuals and families, but the priority order is clearly there.
Also, the brief discussion of health data secure note type, coupled with their increasing access and capacity for partners and integration, was tantalizing…
1 Like
I’m totally elitist, but more in that old-timey Unix user kind of way, so elitist, but also kind of shabby
Lol, same.
5 Likes
I’m not talking about bugs or logging in - if you want to have integration so touch id works then the background 1Password has to be running to use the browser add in.
1 Like
Just because a product may be targeted toward businesses that isn’t a bad thing.
In 2001 - 2002 I moved my company’s email from MS Exchange 5.5 to a Unix based system because Exchange was unable to handle our inbound volume (1 million+ messages/month - almost all unwanted). The system I chose was designed for ISPs, like Verizon. It was priced in tiers up to 30,000 users, then jumped to unlimited. We only needed a license for 250 users but I never had a single problem with the software in the 16 years prior to my retirement.