I guess I’ll be spending tomorrow figuring out best practices for self-hosting #Bitwarden’s server component (or #KeePass) on something I can safely access via @tailscale, since my 15+ year relationship with #1Password is finally catastrophically and utterly failing me.
Should I open up a Zoom as some sort of support group so we can suffer together?
I'm growing increasingly more annoyed by the instability of the recent non-native @1password application. It's slow, often buggy and generally, works like shit in Safari.
Any Mac users here that have success stories migrating to the native macOS passwords and are sharing some with their family?
Did you know that in #1Password you can pin individual fields to the Home tab? It’s great if you need frequent access to a specific field like a one-time password.🧵
The daily #1password Safari extension crash. @1password this isn't the most helpful error screen. IS the database corrupt? Will it be automatically cleaned up or rebuilt? Are there actions I can take? Check what, exactly, in my 1p browser settings?
ALSO APPLE: lol whüüps, #macOS randomly forgot that your #AppleWatch existed, so now you can't use it to unlock stuff like #1Password until you remember to go toggle the relevant prefpane setting off/on 😊
…for the umpteenth time 😇✌️
--- ALTERNATELY —
APPLE IN THE 90s: lol, rebooting to fix things? that's so microsoft. haha. scrubs.
APPLE IN THE 20s: have you tried turning [that setting] off and back on again??
For my personal use, I was on #Keychain for many years, then on #1Password for quite a while, and now I’ve started migrating back to Keychain. Keychain has been getting better in ways I care about, and 1Password has been stagnating or getting worse.
I've cracked billions of #passwords from tens of thousands of #data#breaches in the past 12+ years, and because of this, I likely know at least one #password for 90% of people on the Internet. And I'm not alone! While I primarily crack breached passwords for research purposes and the thrill of the sport, others are selling your breached passwords to criminals who leverage them in #AccountTakeover and #CredentialStuffing attacks.
Use a #Diceware style #passphrase - four or more words selected at random - for passwords you have to commit to memory, like your master password!
Enable MFA for important online accounts, including cloud-based password managers!
Harden your master password by tweaking your password manager's KDF settings! For #Bitwarden, use Argon2id with 64MB memory, 3 iterations, 4 parallelism. For #1Password and other PBKDF2 based password managers, set the iteration count to at least 600,000.
Use unique, randomly generated passwords for all your accounts! Use your password manager to generate random 14-16 character passwords for everything. Modern password cracking is heavily optimized for human-generated passwords, because humans are highly predictable. Randomness defeats this and forces attackers to resort to incremental brute force! There's no trick you can do to make a secure, uncrackable password on your own - your meat glob will only betray you.
Use an ad blocker like #uBlock Origin to keep you safe from password-stealing #malware and other browser based threats!
Don't fall for #phishing attacks and other social engineering attacks! Browser-based password managers help defend against phishing attacks because they'll never autofill your passwords on fake login pages. Think before you click, and never give your passwords to anyone, not even if they offer you chocolate or weed.
#Enterprises: require ad blockers, invest in an enterprise password management solution, audit password manager logs to ensure employes aren't sharing passwords outside the org, implement a Fine Grained Password Policy that requires a minimum of 20 characters to encourage the use of long passphrases, implement a password filter to block commonly used password patterns and compromised passwords, disable #NTLM authentication and disable RC4 for #Kerberos, disable legacy broadcast protocols like LLMNR and NBT-NS, require mandatory #SMB signing, use Group Managed Service Accounts instead of shared passwords, monitor public data breaches for employee credentials, and crack your own passwords to audit the effectiveness of your password policy and user training!
#1Password wprowadzil od dzisiaj obsluge #passkey do wtyczki dla przegladarki w wersji beta - damn, o czyms takim zawsze marzylem 😲 Zeby to jeszcze banki zaczely obslugiwac to juz w ogole bylaby poezja... 😆 #CyberBezpieczenstwo
As a developer the biggest irritation I have with #1Password is that it doesn't take ports into account when displaying suggested logins; so logins saved for localhost:1234 will also be displayed for localhost:9876.
I mentioned it on the birdsite a while ago and they responded saying such a feature would be useful but it never materialised.
Thinking about moving to #bitwarden but initial testing shows the same limitation - unless there is a setting somewhere.
Somebody should release a wrapper around #1Password's op CLI tool, which adds new features but is also only available if you live in the US Midwest. One Password Extended, or ope.
Hm, I used @Cloudguy as a reason to thoroughly clean up everything related to #amazon and to migrate some things to #iCloud#keychain just to find that password changes in iCloud-Keychain sometimes do not seem to stay but are overwritten (synced?) with the old password.
Even if I delete a specific account/password it just comes back after a while!
It seems I’ll stick to #1password for another few years, at least for the non-#webauthn set of logins.
I tried out the @1password passkeys support beta a bit today and there's something to be aware of right now: 1Password will return a response with uv:true during authentication, but the user is never required to enter a PIN/master password/use Touch ID during the auth ceremony. Clicking a passkey the extension helpfully displays is all it takes log in...
I verified this on https://webauthn.io with userVerification: "required" for auth:
The same thing is true for registration, no attempt to perform user verification takes place but the response includes uv:true 😬
I'm giving 1Password the benefit of the doubt right now since this IS a beta after all, but this needs to get fixed soon because all their browser extension is providing is a single factor (user presence) for what's supposed to be multi-factor auth 😱
You know, I love #1password but as a developer I would really, really like to be able to have it recognise port numbers and maybe even query string parameters when presenting login details.
Presenting everything I have for 'localhost' isn't really that helpful to me 😞
Being able to differentiate localhost:44356 from localhost:44390 would be a big win in my eyes.
If they could go futher and differentiate localhost:44390/login?tenantid=123 from localhost:44390/login?tenantid=987 even better 🙏
Disappointed to report that the glory days of #AgileBits (aka the makers of #1Password who have abandoned AgileBits and just become 1Password the Company) are over.
1Password had been showing early signs of #Enshittification with the update from version 7 to version 8.
As of today I can tell it's turning into nagware: treating the UI as a billboard for advertising, and most obviously & predictably boiling the frog via a rentier capitalism subscription model, despite prior assurances.
So @1password needs to work on their “a former employer terminated the corporate account your personal account was still getting subsidized through” user flow.
Because #1Password refusuing to autofill, w/ the text "your account is frozen”, on 1Password.com which is where you need to sign in to update your billing info, is terrifying 🤨🤔🥴😱
(Figured it out eventually! You can still sign in and still use apps to read/copy your data; the frozen part is /just the autofill/! THIS IS NOT OBVIOUS!)
I had a super obvious idea. Why don't password managers guard against spoofing by checking whether the hostname they have saved matches the site you are trying to enter the credentials into? I was spoofed a month ago and have been thinking about it since. Does anyone know if that's ever been proposed to a browser?
It's so obvious I assume I'm not the first person to think of it, but I cannot find anything online. Links appreciated.
"quote-boosting" this to note the overall trend of “Apple's built-in password management continues to mature”. Personally speaking, it's not going to replace #1Password for me just yet, but it's good to see progress here.
(Side note: I lurk in some security-conscious channels & recently folks have gotten /extremely mad/ about some 1P UX design decisions wrt passkeys. How 1P responds to their input will be useful signal…)