Anyone can learn to be a developer and anyone can learn to run a business, it’s a matter of priorities. Obviously they are not telling every single person reading the article to build a solution, more like rally support for a new solution to be built. Either way there are many FOSS password managers in the works that could surely benefit from your support such as passbolt (not recommended here), or psono.
Nice misinformation. They specifically lowered prices almost immediately due to high demand allowing them to reach economies of scale quicker than anticipated. Source.
Anyways, this is becoming extremely off-topic from the original post.
It is called marketing, nothing more. They didn‘t share how many new customers they got only for Proton Pass, right? Majority of the customer base is already getting it via Unlimited, Duo and Visionary packages and even in year 2024 (soon to be 2025) they are unable to offer multiple memberships for one account
I’ll reiterate - I consider it a lower quality article. There may be some truths, but I’m taking it with a grain of salt. I’ll agree to disagree with any further points.
I think you might be holding this article to a unreasonable standard.
1 - its a blog post from 2 years ago
2 - the author admits its all conjecture
3 - it seems like the main point is not to offer an alternative to BW but to make readers “cautious of what can happen”
then again these might be reasons to consider it low quality in the first place
I think it should be removed, but not because it’s proprietary nature. This discussion leads to nowhere, as both sides have significant arguments for and against.
The reason for removing 1Password is that 1Password isn’t working well with the current PrivacyGuides recommendations.
It is impossible to login using FIDO security key on GrapheneOS, without GAPPS - 1Password is dependent on Google. Yubikey works with my Bitwarden perfectly without GAPPS.
QR code scanner for OTP codes is not working as well, as it is again, Google dependent.
1Password Linux app is not using Wayland. It’s still on X.
1Password Linux Firefox extension doesn’t work on Flatpak. You’re forced to use FF provided in the repos, which are quite often outdated.
On summary, since PG is recommending GrapheneOS and Linux, and 1Password is not working good with both, I think it should be removed.
That’s probably because FIDO requires Play Services to function on GOS as of now. I think I saw somewhere that the GOS team wants to implement a method for it to work without Play Services but have been dedicating resources elsewhere for other features.
I sent my email to 1Password encrypted with PGP.
Then I got this reply.
I’m afraid your email was empty on our end and the attachment couldn’t be opened.
Could you tell us a bit more about what you’re experiencing or how we might assist?
They have published their own PGP keys, but not only do they not know how to use them, they don’t even seem to know what PGP is in the first place.
This raises serious questions about their technical capabilities. Do they really respect privacy and security?
Techniques like clickjacking or deceptive overlays can be used to trick users into interacting with interface elements, including autofill prompts, in ways that may expose sensitive information.
Your information in 1Password is always encrypted and protected. Clickjacking does not expose all your 1Password data or export all your vault contents, and no website can directly access your information without interaction with the browser extension’s autofill element. At most, a malicious or compromised webpage could trick you into autofilling a single matching item following a click, not everything in your account.
For maximum safety, consider locking the 1Password browser extension when browsing unfamiliar or risky sites so autofill requires explicit intent.
I agree. The title should be more clear. As someone who still uses 1P, I was alarmed.
I also agree that it reveals a company’s level of commitment to privacy. There are privacy companies that are clearly very dedicated to privacy, but have short-comings that were easy to avoid, and are easy to fix, and yet they refuse to address them. That bothers me. I am also disappointed, if not suspicious, when privacy companies refuse to join collective endeavors that are easy to participate in.
All that being said, I don’t consider 1Password to be a privacy company. And this is someone who uses their service and is subscribed to their podcast. They are primarily a security company. They obviously care about privacy to the degree that online security intersects with it, but I don’t see it as one of their core values. I’ve never seen them join or comment on big fights, when companies that are much smaller than them have.
Hey, as both last pass and 1password don’t have a rating yet, their summary is not completed. Not enough of their legal documents has been summarized in points yet.
After filing the request for CVE numbers with US-CERT the Socket Security Team reached out to the impacted password manager vendors to alert them about the pending CVE assignment. At time of publication, only 1Password responded.
On a call between the 1Password and Socket Security Team, 1Password explained that the mitigations proposed by Tóth could be trivially bypassed, and that the only way to mitigate the vulnerabilities fully would be to implement a dialog popup to prompt the user before autofilling. It’s the opinion of the Socket Security Team that, if this is the case, the mitigations currently implemented by other password managers may also be bypassable.
1Password stated they considered this dialogue popup solution, and implemented it for credit card fields, but opted-not to implement this for PII due to user feedback, according to the H1 triage logs with Tóth:
Security and usability are a balance, one that we are always making tradeoffs back and forth to find the right solution. Sometimes there is no perfect solution, only the solution that works best for the most users. As I mentioned previously, it is only with user feedback that we chose to remove the prompt for the PII items that would prevent clickjacking from occurring. A change that we’ve documented in the support article under the "Identity alerts” section.
As of the time of publication, 1Password has chosen not to provide an official statement to the Socket Security Research team about Tóth’s research.
While it is easy to assume vendors are simply ignoring these vulnerabilities, the reality is more complicated. Mitigating DOM-based clickjacking in a way that is both robust and frictionless for end users is a technically difficult challenge. The most straightforward solution, adding confirmation dialogs before autofilling, does introduce usability friction that some users may push back on. Password managers walk a tightrope between security and usability, and choices about which safeguards to enforce ultimately reflect product decisions about that balance. That said, the research highlights that what’s convenient for users in the short term can leave them exposed to systemic risks that attackers may exploit.
“The most straightforward solution, adding confirmation dialogs before autofilling, does introduce usability friction that some users may push back on. Password managers walk a tightrope between security and usability, and choices about which safeguards to enforce ultimately reflect product decisions about that balance. That said, the research highlights that what’s convenient for users in the short term can leave them exposed to systemic risks that attackers may exploit.” https://socket.dev/blog/password-manager-clickjacking#:~:text=The%20most%20straightforward,attackers%20may%20exploit.
Well, why isn’t it on by default? Why assuming that most of your users will dig through these kind of settings? Isn’t the whole point about providing the safest experience for the vast majority of your users, and provide along that settings that can be customized on a case-by-case basis?
This is why I am pissed at 1Password. The way they’ve dealt with this thing doesn’t make a lot of sense, as much as it is patronizing towards their customers.
Better be transparent and public about it, release an update with a new option (even if it doesn’t fully fix the issue), and teach your users how to improve their safety online. This could have been a blogpost. Instead, we had to make an outcry on socials to get a response from them. It is still disappointing, as much as it is a breach of trust towards your users.
Don’t patronise your customers. We’re paying you to be safe, not to beg you for an update.
While I’m not an expert by any means.
My guess is because if the user trusts the pop-up it simply trains the average user to click on the pop-up without considering any of the actual implications.
Most of 1Passwords customers are corporate. Their default isn’t for a user that’s actively pursuing and interested in maintaining higher standards of privacy and security.
It’s for a corporate employee that asks whether you’re a coworker when you give them an email alias with the company name in it.
I’m far more concerned that both the Bitwarden and Proton Pass add-on’s stay logged in by default. If I end up on a malicious page it’s likely I clicked on a link somewhere else and the first page open in my browser. Suddenly being asked to log into my password manager on a site I don’t recognise is a far better control in my opinion.
As I understand it. The clickjacking attack also requires that the attacker control a sub-domain of the legitimate site. I do get how this might be easier than taking control of the main site, but it then seems to require multiple points of compromise.
