Iāve used 1Password for many years now, but Iām thinking of dropping it in favor of just using iCloud Keychain. The only thing that gives me pause is putting all of my bank passwords in iCloud. Are the passwords encrypted on Appleās servers?
Yes, they are end-to-end encrypted. Apple has no access to your iCloud Keychain. https://support.apple.com/en-us/HT202303
1 Like
Apple claims cannot be verified and it is still possible that they have access to the data. Also use a random icloud security code.
1 Like
I would say that if you have data important enough that Apple lying about e2e is a worry, that data should not be kept on any device or service. 
4 Likes
Good point about data that ā. . . should not be kept on any device or serviceā
I donāt think Apple is lying. Their security is good enough to frustrate the FBI as well as many other governmental agencies around the world. But no system is totally secure. Google discovered a ānarrowly focused . . . exploit of iPhonesā that allowed the attacker full root access to the phone, including iMessage and Keychain. Which Apple fixed. But Iāve always preferred to keep my most important info in 1Password and only casual website logins in Keychain. Why?
IMO, Agilebits one job is security. Keychain, while very good, is only a feature.
2 Likes
Data saved in a service like Keychain is the most important data you have. Better alternatives to Keychain cost only a few dollars so your argument does not make much sense.
Sure, and I donāt mind at all that 1Password is charging a subscription. We use it at work.
However, I canāt confirm that 1Password is e2e encrypted with no weaknesses (like Wayne pointed out) any more than I could for iCloud Keychain. I trust both those companies and the security researchers that constantly probe them for weaknesses, though.
1 Like
That is why it is best to use an open source solution.
I realized my biggest concern is that I donāt use Face ID to login to 1Password on my iPhone. I want there to be an extra layer of security just in case my iPhone goes missing. But I can keep 1Password, and use it this way, just for my bank passwords and keep everything else in iCloud Keychain.
LastPass has had several vulnerabilities over the last few years.
I feel the pain of subscription models too. but Iām less-opposed to it with the more apps I buy.
Everyone has to eat and put food on the table for their families. I am a software engineer who has a salaried job, I donāt make a living nor money-on-the-side from writing iOS apps. I will tell you that writing, testing, publishing and maintaining software
is challenging and time consuming. It has to be done by people who need to get paid too, and charging one- time fees is often no longer feasible.
Subscription models donāt make sense for every app though, but critical apps and services do warrant a sustained revenue stream in order to stay in business.
3 Likes
And OpenSSL. And bash. And lots of other open-source software.
Theyāve had security holes that went undiscovered for years.
The idea that āopen source = more secureā is a modern day fairy tale.
4 Likes
Open-source does not mean more secure by default. It means, the developers canāt hide backdoors into the code and the code itself is subject to public scrutiny. That is why open-source is preffered by people who really care about security.
2 Likes
100% true! 
But it means one thing a closed app with all the data on its servers does not have to offer: transparency. And transparency helps in building trust.
And that is what I will have to watch in the future concerning 1Password: if there are any signs that indicate that my personal data is in danger because of any issues.
Right now, I am comfortable with the situation. But to me, this VC thing definitely is something to raise eyebrows. I have trust in Dave Teare. I am confident in the companyās future. If he leaves, it will be one more warning sign for me.
1 Like
And thatās why you use iOS and/or macOS? 
2 Likes
Actually, yes.
So, let me explain it in context, it might have been not clear before.
I do trust Apple, I do trust their Privacy policies, I feel comfortable using iCloud for my contacts and for my photos. I do trust Apple with their closed platform and with their servers. It is a trust they have deserved because of their past and their way of dealing with customers and their data and with protecting their customersā data in the past. There are many examples.
Apple is independent. Apple is healthy. They do want to sell me their products. And I pay for their products. This is a healthy relationship. It feels right and yes, that is why I use iOS and macOS. And from a technical standpoint, iOS and even macOS probably are the most trustworthy commercial operating systems out there.
So, letās talk about 1Password. I have been a 1Password customer for probably about ten years. First, the data was on my devices and being synced via Dropbox. Today, my data is on their servers, too. I have been a subscriber right from the moment when they started offering their subscription. Dave Teare and 1Password have deserved my trust out of personal experience with them. And the history has shown that they have their act together. 1Password seems to be a healthy product. Then they suddenly took 200 Million Dollars of Venture Capital.
Now, they have a new player in the company. The question is where they are headed at now. I think they just want and have to grow (like I mentioned in a different topic). That is fine. A different possible reason could be that they are in trouble and that they need the money. I do not think so, but it could be. And that would be a potential issue for the safety of my data on their servers. So, I will be a careful watcher in the future. I feel some unease because of the VC initative and I am in good company, I guess. To quote Michael Tsai: āI would like to see a list of top-quality consumer apps developed by software companies that took lots of VC money. I donāt see any in my Dock.ā
The post of mine you quoted was referring to the statement that it is a fairy tale that āopen source equals more secureā. That is 100% true. There are a lot of products that are open source and that do have a history of security holes and hick-ups. True. But there are also a lot of products that have a history of security holes and hick-ups that are not open source. What open source software has to offer is transparency. And transparency does not hurt. That is what I meant to say.
I am fine with a closed system that is not open source as long as I have trust in that system. That is true for iOS, macOS and so on.
And up to now, I am having trust in 1Password. I have trust in the company behind 1Password. If I should loose this trust in 1Password in the future, I will give other products a try. And yes, it might be a product with an open source background, local storage of my encrypted data and long-standing history without security holes. Why not?
4 Likes
āIf.ā Reminds of the old saying, āIf frogs had fur the world would be safe for chinchilla.ā
āMight.ā 
I use software from 5 on this list personally, and have used others professionally.
2 Likes
I have a Eero mesh router and they offer a Secure+ service for $99 a year. It includes ad blocking, 1Password, Malwarebytes and Encrypt.me. [CORRECTED]