Last month Canva was breached. As part of their response, Canva partnered with 1Password to offer 12 months of the family plan for free. New 1Password customers only.
Credit to @carlucch for the updated link after 1Password and Canva added extra hoops for users to jump through.
Please show yourself out
I'm calling the police
Haha, good one Dad!
SnowWhiteSneezySleepyHappyGrumpyDopeyDocBashfulPerth
1Password Family is a lot more sophisticated than an "encrypted word document". It generates and stores secure passwords that are synced between all of your devices. It integrated with various browsers. You can split your passwords between multiple vaults, then grant access on a per vault basis. It warns you about services that have been breached.
What happens when 1Password gets breached? or is there some technical reason why this cant happen?
Encryption/Decryption is done on the device. 1Password doesn't store the key, only the encrypted vaults.
@skwashd: This, the data, even stored within the cloud is encrypted with your master password and decrypted on device.
An attacker would need a combination of your Master Password (which could be phished fairly easy) along with your 1Password Key which is like a serial. If this is stored offline/securely then attackers won't get access to both. This combination is required to get gain access on any new device.
It's great to sync across every device, set new passwords easily and it's integrated with Have I Been Pwned. So if a website you have a saved password for is compromised, it's shown up in 1Password as such, advising you to change your password. Also, if a password you're using appears in a password list, it will alert you as well.
@daleyboy79: They have a lot of great, intuitive features. They also have Google 2FA codes baked in, so you can have 2FA within the same app.
On my iPhone, when I login to a website with 2FA (and 2FA is setup in 1Password) as it enters the credentials via the keyboard, it automatically copies the current 2FA code to clipboard, once the next screen appears prompting for 2FA code, I just paste it in and I'm in.
I have it on about 3 or 4 devices, if I add or change details on one device it appears on the other devices shortly after opening 1Password.
@sghetti: @sghetti how do you enable 1pass to copy otp to clipboard when logging in using 1pass? Doesn't work for me. Using iPhone. Or it doesn't work on some websites?
@freelife: Under Settings > Password AutoFill > Enable Auto-Copy One-Time Passwords.
As long as you have One-Time Passwords setup for that website and it's generated within the 1Password app, when the credentials are auto-filled it will copy the one-time password too.
Best to also set auto clear passwords/passcodes under Security too (I think it's enabled by default though)
@sghetti: How does that last sentence chime with them not having access to your passwords? How would they find out something you use has popped up in a list?
@team teri: https://support.1password.com/watchtower-privacy/
The gist is that most of the comparison happens on-device.
@team teri: Passwords are hashed/sated, they use the hashed password to check against lists of exposed passwords which are also hashed/salted. Most exposed passwords are not technically usable by attackers. But as computing power becomes more accessible, it's only a matter of time before they have the power to decrypt these passwords.
@sghetti: This part confuses me. We use 1password business at work, and you can reset a users password/encryption key, without them loosing access to their private vault.
For this to work, it'd need to either
1.Decrypt the data, and re encrypt using the new key (In which case, the key is stored in the cloud, because this can be done without access to the users password or key. Most likely encrypted using something tied to the admin accounts)
Or
2. The private vault is encrypted using an account tied key, rather than user tied key (In which case, is everything encrypted using a single key??)
I'm sure however they're handling this is secure, but how they're handling this alludes me. There must be some security compromise here…
We use 1password business at work, and you can reset a users password/encryption key, without them loosing access to their private vault.
I think that feature only works on business accounts.
LastPass explains how they do it here
https://support.logmeininc.com/lastpass/help/reset-a-users-m…
@skwashd: They do store family and team members keys in the organisers vault or something like that because the organiser is able to recover the accounts of members without any knowledge of the previous password and the key. The member is able to set a new password and gets a new key by clicking a link in their email after the organiser initiates the recovery.
One of the big selling points to these apps (not just 1Password but any password manager in general) is that since you aren't remembering the passwords, you can and should leverage the ability for the application to randomly generate the password for each and every one of the sites too so no two passwords are the same. That way when a sites compromised you have to update exactly one password. I suspect anyone manually doing entry and export out of MS Word are going to be running with some pretty basic and rough passwords given they'll still need to type those out or copy them frequently, and they'd need to be manually generating the password to begin with.
I use Dashlane as I didn't really warm to the 1Password UI. Considered LastPass but ultimately liked Dashlane more. Right now I have 380 or so passwords in my manager and maintaining that in MS Word would be an absolute nightmare I imagine. It takes a few seconds on my iPhone for Dashlane to do an autofill via its OS integrations. I imagine if I was using Word I'd be looking at a minute or so to open Office, open the document, unlock the document and then locate the password in my list, copy and paste it into the site. If I was on a desktop every time I did this someone could look over my shoulder and see my password list also.
The password health and detection of compromised passwords is also very handy.
Tldr;
You should use the ability of the application to randomly generate passwords for each and every site so no two passwords are the same.
You what…
How many more steps you take before logging in every time? I log in to many services several times daily from many devices. 1Password has saved me a lot of time and hassle. It alerts me to change passwords periodically and also alerts me when the website is compromised.
Get this free for a year and try improving your memory until it expires. This way you won't need a word document either.
If you're going to go with a self-hosted option, please at least KeePass, not a Word document!
I agree that a subscription (rather than license) model is ridiculous. I love 1Password and have used it for years, but I refuse to add another subscription – and unlike Netflix, I will have to keep paying this forever.
LastPass is free for the basic account, it has all I need. I like that I can generate a password and save it for later use easily. It's handy that it automatically fills in my username/password in apps and browsers. Whatever works for you though.
Can you convert a family account to an individual account after the free trial year?
In family settings there is a button to convert your account to an individual account, I have no idea what it does if you subscribe this way though.
You can change it to Individual account from the Settings page.
Not sure they know what they're doing - everyone knows that a 1 has to be at the end of password for it to be secure, not at the start.
LastPass is free for personal use..
Basic 1Password is also free. 1Password Family adds a bunch of additional features. See my comment above.
I think 1Password is no longer free for "basic" after the latest updates - https://1password.com/sign-up/
I recently had to uninstall and reinstall 1Password 6 after it auto-updated to version 7 and tried to charge me a subscription. I am happy to be proven wrong though. :)
Ah. Dang it. I think you're right. I've been using 1password since 2011 -bought a family subscriptions and upgraded along the way a few times to v6. Now V7 wants to charge a monthly fee although apparently you can get a license (that doesn't give you updates) if you download the app from agilebits directly. Can't say I'm too happy with that. When it breaks, I might look at alternatives like lastpass…..
@PlasticSpaceman: LastPass was bought out by LogMeIn which has a controversial reputation. It also has an incomplete and broken export system which means if you're not reasonably tech savvy enough to fix their export by hand, you'll probably be stuck with them.
I'd suggest using literally anything else.
@PlasticSpaceman: Bitwarden is free (both free as in beer, and free as in open-source) and is absolutely excellent. Few extra features like the 1Password reporting of breached data etc. if you want to go paid but the free offering is more than enough.
It can also be self-hosted if you like. Can't recommend it enough.
Basic 1Password doesn't sync anything with their servers, and relies instead on a third party like Dropbox, which makes for a very bad experience across some devices.
it doesn't rely on Dropbox , it is an option, if you want you can wifi sync the data between your devices and it will never have to leave your network .
Brilliant, thanks OP. Always wanted to try this but was too expensive!
Bitwarden is free and open source with a ton of features. The paid family edition is only $1/month (up to 5 users).
I've seen BitWarden mentioned a handful of times as being superior/better than KeePass - which was also similarly quite highly recommended.
Wonder how they compare..
They're apples and oranges really. Keepass is good if you want local encryption (it's a db so you can then sync with dropbox etc) whereas Bitwarden is hosted as per LastPass, 1Password etc. Bitwarden is also open-source and you can even self-host (there's a lite fork of the backend that'll even fit in a free Google Cloud Compute instance if you want that). Personally I just use their hosting. Bitwarden is an excellent alternative to 1Password if you want open-source and/or free/low-cost. KeePass is great if you want a little local secure password database.
I used keepass for ages, but switched over to bitwarden around 6-9 months ago. Here are a few pros/cons I noted:
Bitwarden pros
* Better UI
* Secret sharing
* password db available anywhere online - don't need to sync it or worry about it being up to date
* Multiple URL patterns multi platform (e.g. 1 secret that autofills both website and an android app)
Cons:
* Not as many autofill options as keepass2droid. I miss the keyboard, and the persistent notification option
* desktop app not as rich as keepass
Thanks, good breakdown.
Secret sharing
What's that?
password db available anywhere online - don't need to sync it or worry about it being up to date
This wouldn't be a pro of BitWarden to me because I put my KeePass file in Google Drive, so it's also available online (except China I guess, lol)
Multiple URL patterns multi platform (e.g. 1 secret that autofills both website and an android app)
This sounds like KeePass' Auto-Type feature? In which case you can kinda do the same thing.
desktop app not as rich as keepass
That's interesting. I feel like the KeePass desktop app is quite bare bones.. maybe that's just the UI, but actually now that I think about it, it's quite feature-rich.
i have been using bw for few months and it’s pretty useless and annoying. i mainly use it with firefox and often find you need to enter the master password for any password to auto fill. my master pw is a random 24 character long and this makes it who new level of annoyance.
Start using PASS PHRASES instead of random characters for your master password ….
I love the TouchID and FaceID integration with 1Password. I only enter my password after a reboot or extended inactivity.
Could you use fingerprint login or just select to keep yourself logged in?
I previously used LastPass and had the same log-in dramas, but now BitWarden works well for me.
i sadly got the macbook pro without touchbar, so touchid is not available for me :-(
You can make it remember your password and stay logged in, would not recommend though. Pick a 14-16 digit password you remember and can easily type in.
Bitwarden is fantastic. It does everything I want. I have the paid edition just to support them, don't think I even use any of the premium features.
It also underwent a recent audit with a good result.
Doesn’t the fact that it’s open source make it more likely that the site will be compromised? I mean, if the code is open for anyone to analyse and exploit?
Possibility but isn't everything encrypted anyway? Not really sure what you would get out of it.
With anything to do with encryption you should always work with the expectation that the code can or will be be fully exposed and inspected.
Things shouldn't ever be considered 'secure' because people don't know what you're doing with the data, it should only be secure because it's mathematically sound even if someone can see the techniques in play.
No it means it's safer as it's open for auditing by third parties. Security through obscurity doesn't work. Bitwarden recently went through an audit with good results.
self-hosted bitwarden user here.
It is the best on the market and it is free.
any bitwarden users want to comment on the android integration v lastpass
any different?
currently a lastpass user, but happy to move to the open source alternative
I recently switched to Bitwarden from 1Password. I have used there standalone version(4 & 7) for years with dropbox integration. Recent changes to dropbox make this really irritating, limiting how many computers on the free tier. Also tired of waiting for them to do something for linux, and with the vault changes it it like impossible to use now on linux. I love bitwarden, pretty happy with the switch. Migration went pretty well. Not self hosting, but happy to have that as an option.
Couldn’t use the voucher, doesn’t work as a gift card. Where should I apply it?
https://1password.com/promo/canva/
Click the link and it'll say start your 1 year free trial with Canva.
Just use Enpass.
Then if your password provider gets breached you're still fine.
I switched from lastpass to bitwarden. All good!
And today I realised I check OzBargain more than the news.
I just use: "YoullneverguessmypassworD_1"
and then YoullneverguessmypassworD_2 when you need to change it right ;)
Best. System. Ever!
Stupid work password changing policy.
Highly recommend, have been using it for the last 4 years and is truly a lifesaver. This + authy to sync all the OTPs and I'm not dependent on any device !
If reddit and my work make me use Microsoft Authenticator can I still use Authy instead?
I thought you could move between them, just scan the QR code to setup the app
Yup authy supports this as mentioned above, just scan the qr.
Microsoft Authenticator, Google Authenticator, Authy and 1Password all just generic implementations of the standards-based TOTP (RFC 6238) protocol. They are entirely interchangeable.
In case you don't know, 1Password can also store OTPs. It even copies the OTP to the clipboard when you log into a 2FA-protected service. It's one of my favourite features.
Thanks. I have been using 1Password for years and did not know this!
I wonder if LastPass does this. It’s the password manager I’m using.
Edit: It does as a separate app: LastPass Authenticator.
Bitwarden does this too
1Password also does OTP sync! It's even better than Authy - when you autofill, it automatically copies the OTP to use so you can paste it in straight away.
(edit: didn't realise evanjd already posted this, ignore me!)
Didn't know that 1PW supports OTPs ! Will look at transferring, thanks guys.
Storing OTPs in a password manager always seems wrong. The point of MFA is that you have a password you know a device you own. If your password manager gets hacked then they know both bits of information making MFA pointless. At that point you might as well disable MFA and save yourself the hassle.
Good point.
Having said that, I will never use a dumb otp app like google authenticator ever because when my phone died, all my OTPs died with it.
A free service like Authy fixes this really well.
I use AndOTP (on Android) and it allows encrypted JSON backups so you can restore it on another phone if/when needed. It's a manual task though, so need to remember to do it whenever you add/update entries.
Isn’t keychain better, easier and free? (Only iOS)
Only iOS instantly makes it not better.
What's best for full cross-platform IOS, PC, Andrd etc? I don't wanna use different software each device
LastPass is popular. I use Dashlane.
1Passwords also an option and being free with this promotion is worth a go.
@capslock janitor: Well if you're using iOS then Googles I don't believe will integrate with Safari or apps. Dedicated password apps also have ability to help identify compromised password and have features such as secure password sharing (say with a family or work team) and recording of secure notes (handy for WiFi info and the like).
If you 100% use Google Chrome or 100% use iOS then the respective Google or Apple options may suffice. They are more cumbersome though if you want to retrieve the password to use in a desktop app given access to passwords is a bit buried unlike a dedicated app.
If you don't want to spend anything I'd have a look at the free LastPass option.
Keychain can sometimes randomly go corrupt.
Free for a year. Then…
RoboForm Everywhere, can use for all your PCs and mobile devices. US24 per year, but often discounted.
You need to be absolutely crazy to trust sensitive info to an app which is not open source. God knows what backdoors they have and how your info is stored.
Only open source, only Bitwarden. Also free, has a decent smartphone app, what else do you need?
Agreed 👍
how does bitwarden remain free? at least with this, you know they are making $$ to have the resources to keep things updated and safe.
I've never used these type of services before and I think I should start. Since everyone is saying bitwarden is good and free, I am leaning towards trying that out.. but I do wonder how they can provide the software/service free.
Free only for private use. If you want to have shared account (or using it for the business) - you will need to pay.
Smh these companies not taking security seriously…. they have no one to blame but themselves, they should have known ‘beefstew’ can’t be used as a password since it’s not stroganoff 🧐