Tell HN: 1Password shares passwords you don't want shared
I mentioned this in a comment [0], but given how serious this potentially is I thought it might warrant a Tell HN.
Only tested on a Mac with 1Password 7 using Agile Bits' sync.
If you have shared and private vaults on 1Password, using the Generate Password button in 1Password Mini doesn't let you select which vault that password should be saved in until it becomes a login, however, at that point it has already saved the password you generated in your shared vault, and anyone who you share that vault with can see both the password, and the site that it was generated for. This has obvious security implications but also, maybe less obviously, privacy implications as you may not want your entire company to know that you just generated a password for a jobs site.
104 comments
[ 0.27 ms ] story [ 155 ms ] threadI also heard good things about Pass "the standard unix password manager". Great for those wanting to use the command line and git to manage their passwords.
A more accessible solution is Firefox password manager : it works rather nicely and at least it's not owned by a company trying to make money on password management.
Now, those so inclined know to monitor shared vaults.
It's generally understood to be the most ethical approach.
[1] https://en.wikipedia.org/wiki/Coordinated_vulnerability_disc...
There are a wide variety of opinions in the industry about the merits of coordinated vs full disclosure. Calling one option “responsible disclosure”, or suggesting that it’s generally understood to be the most ethical, is outlandish.
(I say this as somebody who is looking to get off of 1P.)
Regarding subscription fees, there's nothing wrong with paying for software.
[0] https://www.passwordstore.org/
I did pay for their software. Then they decided to try to exploit their position in a way favorable to them, and unfavorable to me. Nope.
The biggest difficulty I had is that bitwarden doesn't have a lot of "equivalent domains" to map web urls to android app namespaces, but that's a one time fix.
Sometimes bitwarden takes two tries to input a password on my phone, but lastpass broke it's support for firefox on android over a year ago and hasn't bothered to fix it.
As it is, I have tons of organization accounts and personal accounts and Bitwarden offers me no way to efficiently switch/filter between those groups of accounts.
https://1password.community/discussion/30903/how-to-reveal-p...
https://bitwarden.com/
It ended up as an extremely elegant keylogger. Cool stuff.
Nice catch, though!
When it comes to generated passwords, we had this implementations since 1Passwd 1.0 and it was always a bit kludgey. I believe the redesign in 1Password 8 completely solves this problem by using a special system vault to store the generated values.
-- Roustem 1Password Founder
> If you have shared and private vaults on 1Password
I have shared and private vault (the default Private + other new shared)
I have checked on Windows & MacOS again and I remember that option has always been set to the default private vault.
Doesn't seem like a bug at all, and in fact I would likely switch to iCloud Keychain if this behavior went away (which doesn't support default-shared but is free).
There seem to be 2 problems here: Generate Password not telling you which vault it will be saved in, and the Shared vault being set as default (presumably) without user input.
Vault for Saving in preferences is set to Primary.
If I select a specific vault to view in 1 password, then end up on a website and create a password, 1Password mini has the viewed vault as selected when it asks to save the password, not the vault I've specified as where to save new passwords.
This has been long standing behavior in 1 Password.
Still on 7 because I'm using a mix of vault locations and while I'm using both teams and personal 1password, I have other vaults in other locations.
Yes, you "bought" the app, but it gets constant updates. It's not like 1990s desktop software, where version X was some static thing that didn't require maintenance as long as it worked.
1Password needs constant, expensive maintenance even if it has zero bugs because they have to keep pace with potential attackers.
They're spending a stream of money to keep the app updated and secure, so why shouldn't they ask for a stream of money from users?
Also, comparing to Dashlane and LastPass (both of which are train wrecks), I would pay a lot more for 1Password. It's one of the best-designed, best-UX apps I've used in years. I'm kicking myself for only switching from LastPass a few weeks ago.
> I've bought an app, and the developer turned it to subscription based.
A one-time payment usually doesn't cover on-going costs, to "bought an app" is a concept that doesn't apply neatly to security-related software.
I don't take this position with most other apps as they don't really need a subscription to function but 1Password is a notable exception for me.
> but needing to buy Windows and Mac licenses for me and my spouse ended up being much more expensive in the long run than a family plan
For me as well, paying for actual licenses will be more expensive out-of-wallet, but that in itself has a value to me as I now know I own a license that will not be revoked for whatever reason. It also means I am more in control over when and how to upgrade to new major version. The subscription model is also tied to a cloud syncing service which is also a _negative_ in my experience. And due to regulations it is even not allowed be used at my place of work. Having control over the license and therefore vault sync/no sync is also valuable.
That said, I _totally_ understand that the value proposition that Agile Bits give you and others is nice. It's just that for me, the value proposition has gotten significantly worse, so any amount of "it can be cheaper" does not really help here.
[0] https://bitwarden.com/
Options include: Copy, Reveal, Large Type, Type in window >
Very happy with Bitwarden. Has a self-hosting option, too, which I like. been debating setting up a self-hosted server here at home for storing my passwords.
I ended up going with Bitwarden and I am very happy with it. Actually, 4 days ago was my official one-year anniversary with them!
The fact that I have to create an account and an online vault with a master password is the biggest turnoff for me. https://vault.bitwarden.com/#/register
They only store the encrypted vaults, which is useless without your master password. So even if it is hacked, the only thing the hackers get is an encrypted blob.
> you can use that own its own without an online account.
That is because KeePassX/KeePassXC is an offline app that reads a database (.kdbx file) you have on your computer. Bitwarden is for people who want to use their password manager on multiple devices. So an account is necessary.
How do you use Keepass across multiple devices. Please don't say Syncthing cause that's not an option for most regular people. And if you use something like Dropbox, what if https://dropbox.com gets hacked?
> The fact that I have to create an account
This is for authentication (needed it for syncing it across multiple devices).
simply collecting them makes them a potentially valuable target, and even though encrypted, it cam be cracked with enough time and money.
edit: KeepassXC user here too.
If someone could gain a copy of a known high-value ciphertext, they may not be able to crack it now, but time is on their side, and I can't recover the file once it is out there. My only recourse is to speculatively rotate passwords inside the file.
Bitwarden is self-hostable FOSS. You can easily run your own server instance, if you are, wisely, concerned about the security risks inherent in SaaS.
He said "Please don't say self-host" for a good reason. Do you really believe that most regular people have the free time and technical skills and security chops to "easily run your own server instance" safely and securely?
If you think that's "easy", then you're doing it wrong.
Linux is only free if your time is worthless. ;)
Run it behind a VPN? Use a properly secured containerized image? Implementing good security is much easier at small scales than at large scales.
> Do you really believe that most regular people have the free time and technical skills and security chops to "easily run your own server instance" safely and securely?
Who's talking about "regular people"? We're discussing what solutions we -- users of HN -- find most effective for our own use.
> Linux is only free if your time is worthless. ;)
My experience, especially in a business context, has been quite the the opposite. Implementing complex projects with proprietary vendor solutions involves a vastly greater amount of time dealing with requirements analysis, project scoping, contract negotiations, support escalations, etc., only to be locked into something proprietary and idiosyncratic, a sealed black box where even trivial modifications require another round of analysis, project scoping, etc. usually with a heft cash payout.
Conversely, the time we spend setting up and maintaining self-hosted FOSS solutions improves our own knowledge and skills such that every subsequent project becomes incrementally easier, and therefore much faster to implement.
> you may not want your entire company to know that you just generated a password for a jobs site.
I would not put any personal (as in not work related) passwords and secrets in a 1password account controlled by my employer, on principle.
This feature is based on something that was in the app from version 1.0. It was important for the app to save all generated passwords so that you never lose them by accident.
We had a chance to rethink it in 1Password 8 and build it from scratch. The history of generated passwords is implemented version 8 in a better way.
— Roustem
1Password Founder
The app no longer shows the generated passwords in the item list. Instead, they are available in the browser extension: https://cln.sh/YtKtAq
Systems vaults can also used to sync other data like certain user settings, search history, etc.
Now they have intentionally crippled your ability to maintain isolation. They want you to go to "one place" to manage all your passwords, across accounts, and muddle through their clunky UI to change vaults. It's not obvious which vault new credentials are saved in. It will pull credentials from all vaults when you go to fill out forms, so now when I log into the different Google accounts I have to use (various clients), even though I'm using separate Chrome profiles, it's all a single 1Password behind the scenes, so I'm prompted to pick from a list of many accounts. I constantly use the wrong credentials to log into things and have to log out and start over. I'm constantly worried that I'm going to leak client credentials into another client's system. It's a huge anti-security pattern, and they did it on purpose. I went to the 1Password forums to learn more about this, and a representative from 1Password stated this was intentional and was proud of it, stating something to the effect "it wouldn't be 1 password otherwise".
I won't use 1Password if I can avoid it, but I'm often required to due to clients using it. I switched to Bitwarden with a self-hosted server for all my personal credentials.
I used to work across multiple customers. One chrome profile for each (so gmail or o365 didn't collide), one 1password account for each. Works really well.
Unfortunately I still haven't found an alternative that works as well, otherwise I'd have switched a while ago.
I would ensure you have the correct version installed, because they have released newer extensions that only work with the hosted version.