Was wondering if anyone had any thoughts on 1Password?
I know that open source is usually the preferred choice but they do offer the convenience of browser add ons, being multi platform (also works on pureos! ), cloud syncing between devices and they also claim to be transparent with their security audits:
I’d be interested to know how others here would view the risks of this service. Would you view this as a generally safe choice?
Are there better options that do the same thing?
I just started using KeepassXC on desktop and KeepassDC on Android (my first time using a password manager).
It’s multi-platform, open-source, actively maintained, and there’s a browser add-on available. For syncing, I think the only option is to save your encrypted password database to a cloud service (or your own server).
As passwords belong to the most sensitive digital assets I personally would never trust a closed source proprietary system to act on my interest. On less important things I would not totally exclude to use CS systems if they really have advantages that I have a use for.
If you like documentation they list their security audits here: https://support.1password.com/security-assessments/
I don’t have any facts beyond that but Im sure other will chime in, I like Bitwarden more (if I was more singular device focused Keepass or a variant would be my choice) as it does what I need.
I had it a few years back, but use Bitwarden now.
Thanks for the feedback, everyone.
Yeah, the closed source aspect is the part that is unfortunate. I forgot to mention that its other cool features I want are it’s support for 2FA, shared vaults and a feature that tells you when a login you have has been compromised ( due to a site being hacked ). Although I suppose I could live without the latter.
Bitwarden seems like a fairly close alternative, although am I right to assume you need their cloud version to get the extra 2FA and shared features? If that is the case, wouldn’t it be the same situation as 1Password as you’re still trusting the company?
I suppose the next question would be if you used a totally local open source solution, wouldn’t you need an online / remote backup? At that point wouldn’t your data be exposed again?
Just playing devil’s advocate and trying to weigh up the pros and cons, haha. Thoughts welcome!
Backed up online, or backed up on a separate drive. Either way, the password database will be highly encrypted. And it can be treated purely as a backup, not as the active version that you open and close to retrieve (expose) login credentials.
If you able to you can self host a bitwarden instance: https://bitwarden.com/help/hosting/. Between open source, fair pricing, and the effort they put in to be able to allow people to self host I trust them more than most companies and use them myself. I like that you can have a standalone program running and NOT use the browser extensions, since your browser is probably the most vulnerable part of your system and keeping your password database away from it seems like a good idea.
This is a good point. It likely would be more secure being encrypted on my own random server somewhere.
This is interesting. I’ll definitely look into this some more!