Secrets is also available through Setapp but the iOS version is not currently available through Setapp. So, I’d personally want to wait as a Setapp subscriber.
Well, I just switched to monthly billing to see how this goes. Electron apps are garbage. Every one that I find myself compelled to use never behaves as a good member of the app ecosystem on a Mac. I also no longer fully distrust Keychain. So, it might be time for me to move away from a 3rd party password manager, idk. When do we expect MacOS to update? Will it be as late as possible in fall, as is often the case?
This can’t be done to 1Password’s client in the way you’re describing (i.e., you can’t trivially modify 1Password’s behavior, but you can still install utility apps that can spy on other Mac apps via accessibility, execute keyboard shortcuts, etc., as you’ve always been able to.)
https://macpassapp.org/ is a pretty good native KeePass client. Its approach to browser plugins is global URL detection, I believe, so a little weird. (I didn’t use the autofill when we used it at work.)
Thanks to @95omega and @joshsullivan for posting a link to the NorthSec Security conference (especially for the bookmark josh - that saved a lot of scrubbing). My only experience with Electron has been Slack and Arq v6 so now I know a little more about the technology in general and the new 1PW specifically. In fact Michael Cohen was more open about the problems they encountered that I would have expected.
I did some additional reading and was surprised to learn that Microsoft Teams is/was an Electron app, and that MS is moving Teams to their own chromium based platform (Edge Webview) rather than build a native app.
Bottom line, if the 1Password folks say they can continue to keep my stuff secure with their new app I have no reason to doubt them.
7 Likes
Trying something similar right now while both my Bitwarden and 1Password subs are still active (and thus constitute safe fallback methods):
• KeePassXC on macOS and KeePassium on both iPhone and iPad.
• Syncing the database file via iCloud.
• Further protection via a per-device local key file.
• TOTP handled with Authy.
Not as convenient as either BW or 1P, but cheaper and potentially safer. Will see how it goes.
Update: I switched from KeePassium to Strongbox. The former is somewhat glitchy on iOS 14.
1 Like
Has anyone successfully tried this approach?
3 Likes
I was talking about Electron apps in general, but that’s an assertion that needs a bit of backing up. In my experience, the ways in which unintended code finds its way into web-type runtime environments are incredibly numerous and frequently elicit, “Oh! We hadn’t considered that…” as a response from the developer.
Tried it, but was unsuccessful. I think the csv needs specific formatting and headers.
Sorry, I do see that I made an unwarranted leap to 1Password specifically, but I’d mentioned these mitigations earlier in the thread and they’re also somewhat discussed in that security conference video.
-
For Electron apps in general, that kind of injection or modification attack doesn’t work if the app is signed, because the ASAR file is part of that and it contains the CSS and JS. That means that if a malicious program unpacks the ASAR, modifies a CSS or JS file, and re-assembles the ASAR, MacOS won’t let it run. This is similar to how other applications are protected from modification by the system.
-
Electron apps are also able to use the same security techniques as browser-based apps like CSP to prevent unpermitted external JavaScript from modifying the DOM or adding scripts.
-
For 1Password in particular, they are using an additional hardening library that prevents some additional potential exploits. (Any Electron app using Rust could use this library, too, and it’s partially based on a non-Rust library.)
Agree no app is perfect or exempt from participating in the security arms race, but these apps aren’t trivially modified just because they use web technology.
4 Likes
Absolutely no worries, I just didn’t want you to think that I was picking on 1Password specifically.
I’m sure the devs have been exceptionally careful, but code injection (not modification of the app, but runtime code injection) with Electron apps makes me somewhat more nervous than I would be with a native app, given what’s at stake here. And XSS bug in 1Password could be completely catastrophic, and preventing them all seems to be really difficult, based on the number of those (and node.js bugs) that cause me to lose sleep.
Anyway, I’m not running down 1Password and will probably continue to use it (but I’ll have to roll up my sleeves and dig deeply into the implications of that), but Electron always makes me a bit more uneasy than a native app; it just has a much larger attack surface, even for people who are being really careful 
4 Likes
If you wait for macOS 12, you will be able to do it natively. keychain will be capable to import/export passwords.
Awesome, thanks! I’ll wait …
Recommendations where - in this thread?
1 Like
For another take on Electron:
https://medium.com/@jmeller/electron-and-how-cross-platform-apps-will-save-the-mac-2aaba3ab2809
(not sure why the preview is reporting a 500 error - paywall? not sure)
6 Likes
Interesting read, thanks for sharing!
I confess I kind of roll my eyes when someone’s first complaint about an application, before even using it, is that it is Electron. I hear that a lot in the tech podcast space these days, and I can’t quite figure it out. I’d rather see an app like 1Password continue, and if consistent cross-platform development is what they need to do, so be it. Especially on a password manager where I barely look at the UI.
Of course, there are other changes they are making with 1Password, and I’m not referring to those. Just the Electron drama that kind of cracks me up.
5 Likes
Have provided a follow-up (admittedly opinionated) to my earlier article, given the wide interest in this subject:
3 Likes
Although it often seems to get “poo-pooed” when I mention it in forums (!), I’ll simply say that I’ve been a happy user of Enpass and it’s worth considering.
Sadly, they did implement a subscription a few years ago, however, you still can buy the standalone version, which is kept up-to-date with the subscription version. It’s cross-platform and the Mac version is native. (There are a few places where its cross-platform nature means it doesn’t look completely Mac- native. Specifically, I’m thinking of its preferences window.) Lastly, you can have multiple vaults and vaults can be stored locally or in cloud storage.
Just adding my two cents to an already complicated discussion!!
4 Likes
I might be an outlier, but I use multiple computers running a variety of operating systems ( Mac, Windows, Linux ) . I also use both personally owned and corporate-owned computers. Finding a password manager that I can use in all of these “use cases” has been a challenge.
1Password is what I currently use, but I’d love a non-subscription solution, say, a password manager that lets me self host the password storage via a webdav or similar technology. That way they only have the cost of development and don’t need to worry about hosting and supporting the data storage part.
My corporate laptop is limit is sharing options. Due to the confidentiality of the data, any form of cloud syncing is off of the table.
Anyway, I’ll keep looking but I will stick with 1Password in the meantime.
1 Like
KeePassXC works on Mac, Windows, and Linux. The DB file is on the cloud only if you want it to be.
1 Like