Critical 1Password Security Flaw Could Let Hackers Steal Unlock Key
forbes.comThis is a local flaw that requires malicious software running on the users's machine. The malware can read the unlock key by pretending to be a web browser extension.
This is a reminder that no security is 100% and that it is an endless battle...
I am happy to get out of
Why do people still use 1Password these days?
They should move to Bitwarden.
Honestly, the only feature of 1Password that is locking me in is their MultipleVault support.
I have a lot of different vaults, every side project has a different vault, every contract I do has a different vault, and I split a lot of my personal stuff up, I have a vault I share with my partner, personal vault, one with finance stuff, one for all my software licenses.
I then have my main search setup to only use my personal vault, my shared vault with my partner, and two other vaults.
I can't do this with Bitwarden. The best I can do is a folder per 'vault' and then remember to select which folder I want every time I auto-fill, which adds enough pain to the workflow that I just won't make the switch.
A huge amount of companies do.
I'm not sure Bitwarden is a replacement for them either as 1Password has a lot of niche features companies might use but private people tend to not care about.
Sadly, bitwarden has no tags which various users use extensively
Did you read the article? This requires your computer to already be compromised with malicious software. While not a great vulnerability, if your device is compromised the security of anything on it is now in question.
Also, I think you’re thinking of lastpass that keeps having breaches - this is the first 1Password exploit I remember in recent time, though I could be wrong.
Yup, also MacOS only
> The security vulnerability was found within 1Password for macOS and targets users of all 1Password 8 for Mac versions before 8.10.36. To exploit this vulnerability, an attacker would have to specifically target 1Password for Mac users and convince them to run malicious software on their computer. An attacker could, the 1Password support posting confirmed, abuse missing macOS-specific inter-process validations in order to impersonate a 1Password browser extension.
> The macOS XNU (macOS kernel) inter-process communication framework is system-native and used by 1Password to enforce ‘hardened runtime’ protections that should prevent tampering with such processes and, therefore, prevent certain types of local attacks from taking place. The Robinhood Red Team hackers found a way around this protection during an independent security assessment of 1Password for Mac.
I pay for Bitwarden for personal use, but I work in a company that uses 1Password. I can say that 1Password is waaay ahead of Bitwarden in terms of UX.
Honestly, it's hard enough to convince employees / family members to use a password manager as it is. "Good UI" is vastly underrated as a solid security measure.
Bitwarden has no SSH IdentityAgent implementation. That is something that 1Password handles perfect.
Also 1Password has multiple vaults, which I really like