7/2/2023 0 Comments Enpass or 1passwordThat's why I bought the software despite having access to a license from work. It boggles my mind that people are so quick to support a company that's making changes solely for their own benefit to the detriment of their customers. And, since the software auto-updates, I think it's fair to expect them to not push out updates that make it harder to use the software or otherwise push me towards a subscription model that I'm never going to accept. And it's fair to expect them to not hide the download link for when I need to install it, since that's explicitly allowed by the license I purchased. But I did pay them over $60 a little over a year ago, so I think it's fair to expect a few bug fixes. Because people who are worried about that level of attack are generally willing to undergo a lot more pain to stay secure than your average user is.ĭid I ever say that I expected "updates in perpetuity"? I said (in another comment from the one you replied to) that I expect the software to "work in perpetuity." That's a very different requirement that requires AgileBits to do absolutely nothing except not tie it to their own cloud services. There can be different classes of security products for those that need protection from state-level actors and those that don't. Need proof? PGP/GPG passes security reviews but has terrible UIs.what percent of emails are PGP/GPG encrypted? We shouldn't let the perfect be the enemy of the good. When comparing a secure but difficult to use password manager, a potentially insecure password manager with an easy-to-use UI and a combination of insecure passwords, post-it notes and all the other terrible ways that users have of "managing" their passwords, the middle ground is likely to come out ahead for all but the most technically adept users. Most computer users haven't adopted any password manager yet. In advocating for password managers, the interface absolutely does matter. The other point that should probably not get lost is that we're dealing with levels of security. In so much as the security of 1Password requires executing a single, line of code on servers controlled by 1Password, the product is insecure and fundamentally unauditable because that line of code can be changed at any time without users being made aware. This is not true of software running on the company's servers. But when code is pushed out into the world, it can, at least, undergo some scrutiny/testing by people outside the company. That's just a fact of life when software isn't open source. Running closed-source software on our own computers involves a level of trust in the authors of that software. What we've learned from Snowden is that any cloud provider can be secretly made to bend to their governing body's will. Their web-based products require a level of trust in 1Password (the company) that none of us should be willing to place in any company. What I can see is that 1Password is pushing users towards a model that's fundamentally insecure. It's great that you recommend 1Password based some other criteria, but I'm not sure why your recommendation should mean anything to me unless you've been given some privileged access to their code that the rest of the world doesn't have and if you have been given that type of access, it's irresponsible of you to denounce other products unless they've denied you similar access. They post blog updates on vulnerabilities (e.g.) after releasing fixes. Enpass does seem to handle security incidents in a pretty responsible fashion. Not being a security researcher or having access to either product's code, I'm not sure how I could be expected to perform that level of evaluation, but I've built systems that have passed security reviews and, from a non-privileged access point of view, I see little difference between the two. Since neither of them are open source, I haven't put energy into making sure either of them is secure.
0 Comments
Leave a Reply. |