1Password 8.10.39
1Password has issued 1Password 8.10.38, an essential update that contains fixes for a known vulnerability in versions of 1Password before 8.10.36 and a lack of protections for the desktop app settings file. Exploiting either vulnerability would require local access to the Mac, so neither is considered severe. But still, update right away now that the vulnerabilities are public. 1Password 7 also lacks protections on its settings file, but because of the low severity, 1Password isn’t releasing an update to 1Password 7—if you’re concerned about local threats, consider upgrading to 1Password 8.
Other enhancements in 1Password 8.10.38 include visual improvements to the Wi-Fi sharing QR code, the option to search on “favorite” and “favorites” to find items, accessibility improvements to tooltips, and the inclusion of Arc and Brave in the list of trusted browser vendors. The update also addresses a handful of bugs, including a sign-in problem with the user’s Emergency Kit, issues with search highlighting making links non-clickable, unrelated notes appearing after opening an item from a search result, and the duplication of vaults in 1Password when importing permissions from a LastPass account. Shortly after 8.10.38, 1Password released 8.10.39, temporarily removing the Setting Reset message to address edge cases. ($35.88 annual subscription from 1Password—TidBITS members setting up new accounts receive 6 months free, free update, 4.8 MB installer download, release notes, macOS 10.15+)
When will the Apple Password app be out? I CANNOT WAIT to stop using 1Password. But my subscription renews in September! Ugh… Hopefully it will be later in August when Apple releases it.
Why are you waiting? Apple’s Passwords app will just break into a standalone app the features that are already present in System Settings > Passwords? Which I covered in:
I don’t understand why you want to stop using 1PW…it does so much more than what Apple’s Password app will do that I can’t conceive it being a worthwhile replacement at this point. Maybe eventually it will achieve feature parity and be a viable alternative…but as of today it’s simply too limited for what most people tend to keep in 1PW…there’s a reason all those other capabilities exist in 1PW.
I understand the “I don’t want to pay for another subscription” thing…but penny wise pound foolish. Unless one only keeps website passwords in it…one would lose those other capabilities and current Apple offerings do not replace them.
I agree. The ‘penny wise, etc’ applies here. Subscription software is not all bad - particularly when are paying for enhancements and security updates. Programmers don’t work for nothing, although many people think they should.
Because the UI, UX, billing, customer service (the absolute worst for years), and cost all totally stink. I only keep using it because there was no alternative I could easily jump to. So I used Apple along with it. Now that my Apple Password is almost a math, time to kill off this dog of a product forever.
Yes, I know but, the UI to get to it and interact inside System Settings is obfuscatory and miserable for users seeking simplicity (in contrast to how, usually, it is easy to use as an integration with Safari). I think having it as an app makes much more sense and should have been this way from the start. Why the heck was it stuck in System Settings any way for user interaction? It is just a UI thing but still could have the integration — if that was the engineering purpose — being in the system but allow the user to work in it as a bigger adjustable window UI, quicker app UI/UX… which is probably what they are now finally doing anyway! Just odd…).
But I will look at your article about moving sooner in anticipation of cancelation.
I used to update software every couple of years. It worked much better. If there was an issue, it could be updated, for free. I have found no advantage to non stop subscription at all. If anything, it brings on more frequent bugs and unwanted change. Even if it is wanted, with a purchase every few years, you could read about the change, see how it impacts the older versions and files. Allowing you or your company or students (and even the developer) time to adapt.
Subscription is just a way for companies to make us the beta testers and suck your money from you sooner versus every few years, so they invest it and make profit from those investments instead of you!
Capitalism is a two way street. I abandoned all my subscription software for up and coming alternatives that are not subscriptions. Sadly, a couple of those got bought by bigger company and, now charge. So I am moving on again to alternative non subscription.
I am willing to pay for storage, back up, and media subscription because, it is (mostly) not software. But even that, only to a point. If Apple Music goes up, and offers no lower rate for retired or disabled people on fixed incomes, I am out. If the lousy password software does not get better, and the price goes up, and I have a free alternative already, I am out.
Obviously you’re not utilizing the full capabilities of 1PW…if all you’re saving is website passwords then Apple’s app is probably sufficient. However…it’s new and I would not recommend shifting to a new and untried solution just yet. A lot of its code probably comes over from keychains or Keychain Access or the passwords section in Safari…but the new app needs maturation before you trust it I believe…because the password manager is arguably the most important software you use.
I agree…the UI in v8 isn’t as nice. Cost is actually pretty minimal…and it provides the easy ability for a lot of additional functionality over Apple Passwords…categories, Secure Notes, an offline backup capability which Apple may or may not have, multiple vaults, shared vaults, etc.
You’re correct…support isn’t as good as it used to be because their venture capital owners are more interested in profits than individual users and are forcing a business model switch to focus on enterprise customers…and there’s nothing wrong with that. I considered switching myself to something else…but the fact is there is no feature equivalent alternative that doesn’t have all the same drawbacks (subscription, vault location, etc)that 1PW does. I am staying with v7 for now and if it ever breaks then I will have a decision to make but I use all of those categories and am not willing to lose them. YMMV.
As noted in other replies…devs don’t work for free and while I would prefer not to be forced into the subscription model I can understand why companies do it.
I would totally rely on the Apple Password app, and even as a 1Password user, I tend to save everything in my iCloud Keychain too.
The issue with Apple Password Management is that its platform specific. I manage a team account for work and we have Mac, Windows and Linux devices. Until Apple can provide reliable cross-platform password management I will stick with 1Password.
FWIW, Apple passwords do sync to windows if you install iCloud for windows.
I wonder if they’ll ever do anything for Linux. Though what I don’t know is if you can access synced passwords on iCloud.com, as I’m using advanced data protection and can’t check.
When I went to updates, It had an update to 8.10.40. NOT 8.10.39.
Don’t understand “Capitalism is a two way street”. The problem is that too many people expect to pay once for software, then have it work forever. That is not a sustainable model. Programmers have families, like to eat, pay the rent, etc. Updating software for new operating systems, new security challenges, and new features takes time, concentration, and effort. I WAS a programmer of custom software for quite a while, and while my contract was specific upon what would be delivered, I had no end of users asking for updates for a new OS, new features, new back-up options, new input options, yet did not want to pay for them - even years after the original purchase. For them, I was not supporting the software. I am not in this business any more - haven’t been for years, and still get requests for ‘courtesy’ upgrades. I’m out too - people are just too cheap!
Suscriptions are a way of guaranteeing a revenue stream for the software developers, and insuring an up-to-date product. If that is not forthcoming, buy something else, but don’t expect it for free.
Yes, there are always more updates. 8.10.40 is too minor for us to cover.
And please, let’s not continue beating the dead horse of subscriptions versus permanent licenses. Nothing new has been said there in years.
I know, I’m an outlier and have had 1Password for years. I did the trick with syncing my vault to my iCloud, when AgileBits decided it was moving to Subscription-only. I think I’m still at version 6.8.9 on Mac and 7.x on my iOS device. When I considered just going subscription, I felt cheated and extorted that now all my pwds were in a vault I had pay for annually. Was I wrong? Sure, its best app for what it does, and we need more than ever. My workplay uses and forces on us, Lastpass, which I dislike and has seen numerous breaches. So what is one to do?
Well, my Firefox updated the plugin and its READ ONLY in a warning now. Shows updated recently (August) so I reverted back to the July version. We’ll see.
My concern is, my fear to move to latest and paid sub, I have an older vault and has anyone tips on the conversion? And with Apple Passkeys, will there be an import? Will that lock me in to Apple? I may just back up the vault but for those on future fixed incomes, I think an app like 1Password is not only crucial, it can’t be costly. Conundrum indeed.
All of the vaults that store passkeys are working on an import / export scheme, but it’s not available yet. That’s said, it shouldn’t be a problem : just create a new passkey for each site if you decide for some reason to move from one platform to another.
As for migrating an older 1Password standalone store to the new subscription vault, absolutely. 1Password explains what to do here: Migrate your existing 1Password data from standalone vaults to a 1Password account
I should add that 1Password has a very good export and import scheme that other password apps support. I’ve tried out BitWarden and moved all of my passwords and notes from 1p to BitWarden, with the exception of the two passkeys I have in 1p so far. I had to tweak a few things (I have several 1p vaults now and had to convert those to tags to make them easier to find in BitWarden) but it was pretty seamless otherwise. (I’ve decided to stay with 1p myself.)
Thanks Doug!
One note is that 1Password still works for me, however its the browser plugin that is Read Only - with last plugin update. I reverted back two versions and now the Read Only - click to purchase message is gone. (On my first cup. I should never post without coffee!)
1Password version 8 keeping passwords in the Cloud is an instant turn off for me. Enpass has a local vault option, and license option, and looks somewhat similar to 1Password. Most of the other password options look ugly or are limited in features. I wish there was an easy, good choice.
“Venture capital owners” is all you need to know. It seems that when tech companies are owned by actual techies, we get reasonable prices, good customer service, and sometimes even native apps. When tech companies are owned by VCs, we get high-priced subscriptions, ever-decreasing product value, crummy customer service, and ham-handed wrapped apps. Can’t wait for a better product to usurp them
I hesitated to chime in with my regular (and entirely genuine) promotion of Strongbox, which I now use. Polished as 1Password? No. But really, I couldn’t be happier, and I really do think 1Password (7) refugees will be especially happy to make the jump. Ironically you’ll want 1P v8 to do this, for the migration. I have a few months of my final subscription left, but I wasted most of it, after migrating. Highly, highly recommend.
The problem is that as of today there isn’t a better or even equivalent featured option.
If it is not as polished, what in particular do you like about it?
If you need many features then your comment is true.
I, and probably others, need far fewer features and there are several options that do what I need. (I use an older version of 1PW and also Enpass.)
I’m still using v7.x of 1PW and will continue until it dies. The big problems with v8 originally were loss of DropBox storage which I can live with and the zero capability of local, user managed backup and restore. The latter has been resolved as we now know how to save the local SQL or whatever it is database and restore it independent of the 1PW cloud. While I prefer DropBox…using their cloud is acceptable. Their Secret Key which they claim makes it so much more secure is mostly BS…but in any event cracking in 10 trillion trillion centuries instead of 3 trillion trillion centuries is irrelevant…as long as the master password is good I’m happy with the security. If/when v7 fails to function any more I will have to do something…but I use the secure notes function in addition to password storage and there isn’t another product that provides that and the ability to use DropBox. If it does I will have to make a decision but I’m going with v7 as long as possible. The company is now mostly owned by VC who are only interested in profit…and the company focus is now on corporate clients rather than users and that’s a darned shame. The v8 client isn’t really very Mac like but again I can live with that…but until they admitted how one could backup and restore independent of their cloud v8 was a hard no for me and any other former sysadmin type that realizes password database is the most essential data one had and user focused backup and restore is mandatory.
Enpass is about the best of the alternatives but doesn’t do secure formatted notes…and I’m really suspicious of the encryption in Apple’s Notes app…it has never been vetted by outside security analysts to my knowledge and there are things in my Secure Notes that need to be safe.
Information on Apple’s Notes encryption can be found here. There’s a Wikipedia article on the method used and a write-up on how you decrypt notes after cracking the password.
Everything else. The functionality is very rich for a KeePass-based password manager. Unless you absolutely, definitely need a few little touches in the 1Password UI (customisable headers in your entries, semantically-rich custom fields, “Universal” autofill, slick entry sharing …) realistically you’re not going to notice. It does everything else right, including integrating with Safari using native APIs. Try it! It might be what you need. And it might not—if you really need an “online” password manager, I’d next suggest BitWarden.
I will definitely check it out. Thanks
Thanks Alan…I had seen those before but didn’t see any reason to change from 1PW when encrypted Notes were introduced. It’s also unclear and probably unlikely that Apple has allowed their encryption code to be audited as password managers typically do. That doesn’t mean there are errors in it…but audited code provides a higher degree of trust for the security.
I may end up using a combo of Enpass and Notes at some point…and will give Apple Passwords a whirl when it’s released…but as I noted in another reply the password manager is the most important data you have amd while a lot of the underlying code might be from Safari or Keychain areas…but Passwords will be a 1.0 release next month presumably…and entrusting ones most valuable data to a 1.0 product seems unwise. Hopefully it will become more fully featured and proven reliable and when it does it is another good alternative I’ve to consider.
I don’t get the impression that most password managers regularly have their code audited. For example, based on information on its website, Enpass has had its Windows and Android clients audited, but its Mac and iOS clients have never been audited as far as I can tell. I couldn’t find any information on any security audits of Strongbox. In contrast, 1Password 8 for Mac, Windows, Android, and iOS were audited in 2022.
Why do you think it’s unlikely Apple has had its code audited?
Standard Apple secrecy about pretty much everything. I have no inside info…obviously…but those password apps that have been audited use it as a selling point and it seems Apple would too if it were…and we would likely have seen assorted websites reporting it since like most things Apple it would have gotten leaked probably. I haven’t really looked at Apples Passwords yet since it isn’t released…but 1PW and others have additional features like completely secured secure notes as opposed to just contents, checking the site cert before autofilling (although Apple may have this), backup/restore (again Apple may have this as well),the ability to store images/licenses/passports/bank account data…all of which could be put in Passwords or Notes but not with a nice categorized interface, etc. I will take a look at it once released to see 8&mits a valid option for me…but it’s still a 1.0 product and would need more seasoning, users beating on it, etc before using it for critical data. As a long time sysadmin back in my working days…v1.0 PF anything wasn’t getting on a production server or workstation …you’re just asking for trouble there.