Twitter | Search | |
Kenn White
1Password's decision to sunset local credential storage for a 3rd-party cloud model alienates its most vocal allies — security professionals
Reply Retweet Like More
railmeat 9 Jul 17
Replying to @kennwhite
So where to from here? Do you know of another password manager that offers local storage?
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @railmeat
there are plenty. Most I've looked at have a lousy security posture, or *very* rough UX. Big opportunity in the market.
Reply Retweet Like
Carl Malamud 9 Jul 17
Replying to @sts10 @kennwhite
Sam question as Sam … do you have a link to this? Can’t see anything on their home page or in news.
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @carlmalamud @sts10
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @ryanbrio
yes aware of all of those, and no comparison to the low-friction of 1P. I took a look at the Android forks, but unconvinced of subtle errors
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @CarbonDynamics
Oh, I get the use case. It's market driven by much (most?) of their user base. But, for me, "enable remote decrypt to plaintext" is no go.
Reply Retweet Like
Kevin Riggle 9 Jul 17
Replying to @kennwhite
AIUI, credentials are still encrypted/decrypted locally---storage is just cloud. Depends how much you trust webcrypto.
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @kevinriggle
that...does not appear to be the case. Looks like they store & decrypt remotely post-credential post (not running any browser plugins)
Reply Retweet Like
the norm respecter 9 Jul 17
Replying to @kennwhite
Ive been a happy Teams user for years now and think it is massively positive for real security benefit, maybe not theoretical perfect tho
Reply Retweet Like
Dmitry Chestnykh 9 Jul 17
Replying to @kennwhite @kevinriggle
Last time I used it, you had to enter initial credentials in the browser, though (again keys are not sent to server, but risky)
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @bizzyunderscore
the calculus is, I'm a nobody, so pop my iphone: you get my goods; pop/sniff their auth endpoint and you get *everybody's* goods.
Reply Retweet Like
the norm respecter 9 Jul 17
Replying to @kennwhite
Yet somehow the profit is always aligned w that axis too. It is a bummer.
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @dchest @kevinriggle
in the tests I just ran, the 1P web login now requires email + credential + key (three text felds). I haven't looked at browser crypto tho
Reply Retweet Like
Dmitry Chestnykh 9 Jul 17
Replying to @kennwhite @kevinriggle
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @bizzyunderscore
I'm not sure what that means, but I don't begrudge their self-interest, just disappointed my use case requires transitioning off a solid app
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @dchest @kevinriggle
thanks. will take a look.
Reply Retweet Like
Roustem Karimov 9 Jul 17
Replying to @kennwhite @kevinriggle
It is a single page of JavaScript performing everything on the client. ReactJS and WebCrypto.
Reply Retweet Like
Kenn White 9 Jul 17
Replying to @roustem @kevinriggle
thanks. Any clarification on long-term support for local vaults? The guidance on forums (for me anyway) was very unclear.
Reply Retweet Like
Roustem Karimov 9 Jul 17
I am confused. Wouldn’t infosec people prefer and recommend more secure solutions? The design of 1Password Teams of far superior. /
Reply Retweet Like