New Product Request: 1Password for Linux [In Progress]

BobCarpenter

@brenty I can confirm Enpass & Sygic maps as two examples that are using Dropbox App folders instead of Full Dropbox access. I think I miss evaluated 1Password for this access method earlier, and now as a paid customer (different email though) I have a big objection with this 1Password file access concern, so I will like to work with you guys to see it as feature soon.

I will like to engage formally because if AgileBits just confirm this request as a won't fix then I will like to move to another product and recall all my 1Password references at-least to caution them as well. Kindly suggest how do we move forward on this.

BobCarpenter

Hi @brenty and all on this thread, in interest of a different security feature request off topic from this thread, I have started a new forum discussion, I request anyone of you to please chime in on the same on given URL below:
https://discussions.agilebits.com/discussion/41932/vote-here-security-privacy-request-for-limiting-full-dropbox-access-by-1password-apps

AGAlumB

I will like to engage formally because if AgileBits just confirm this request as a won't fix then I will like to move to another product and recall all my 1Password references at-least to caution them as well. Kindly suggest how do we move forward on this.

As a general rule, we don't discuss planned features or changes like this, because even if we were to move in this direction there is no way to guarantee if and when it would be ready. And as I said, in the case of Dropbox in particular, there is a huge install base of people using a non-standard standard that we've supported all along, so a move in this direction, were we to make it, would need to be undertaken with great care and deliberation.

We prefer not to mess with people's workflows (including our own) unless it is absolutely necessary. I know this isn't necessarily what you want to hear, but I want to be as straightforward and forthcoming as I can be.

And thanks for creating the separate thread. I look forward to continuing this particular discussion there! :)

RichardPayne

We prefer not to mess with people's workflows (including our own) unless it is absolutely necessary

While I generally agree with principle, in this case I think that wrapping it in a nice chunk of ham (improved security) would make the pill easier to swallow. Besides, you're not really changing a work flow, just a storage location.

BobCarpenter

@brenty @RichardPayne This is a very straightforward feature request and seeking a process to work out itself deterministically, I guess no one requested a Ham wrapping that may mess up anything that is working well for now. Anyways I am indeed concerned to see how we can progress this one.

RichardPayne

@BobCarpenter it is not that simple. Iirc Dropbox only allows one app identifier per app. It is not possible to have 2 ids, 1 with full access and 1 with restricted access that the app can switch between depending user choices.

Basically, giving you want you want would force other people to change how they work.

Don't get me wrong, I do think it needs to be done but it's not a simple thing, especially when you consider that it would affect every platform.

AGAlumB

While I generally agree with principle, in this case I think that wrapping it in a nice chunk of ham (improved security) would make the pill easier to swallow.

Or bacon. People love bacon. :lol:

Don't get me wrong, I do think it needs to be done but it's not a simple thing, especially when you consider that it would affect every platform.

This is my chief concern. This kind of change would affect everyone who uses Dropbox sync, and not all of us would necessarily welcome this change.

BobCarpenter

@brenty Again if its not clear, I am not in favor of breaking anything for this feature either. I don't know where have you folks picked up the impression and ranking on, I just want to see a process to determine if this privacy feature request can be done or not so I better re-invest in another app.

Also since my subscription is newly purchased on May 12th, I'll be much happier to discuss any possible refund terms and use another app. instead 1Password. Please advice for refund.

RichardPayne

@BobCarpenter what we're trying to explain is that while you don't want to break it for anyone else, what you're asking for will almostly certainly do so.

I just want to see a process to determine if this privacy feature request can be done

It absolutely can be done and I know it's on the radar as it's been discussed on these forums before. Whether it will done fast enough for your liking I have no idea. They don't normally release details of their development roadmap.

DMeans

I've been using 1Password for a long time. I really love the product. I have recommended it many times.

But finding myself without my Mac for a while, I sat down with my Linux machine and realized, "I don't have 1Password installed here - let's do that." A quick Google and parse later, I learned that I could jump through some hoops and get it running via Wine. I also learned customers have been asking for this port for about 5 years now.

So I checked out LastPass. It has support for Linux. And as a Security Architect for fortune 500 company, I most certainly noted that it has support for multi-factor authentication (something I've also asked for before).

So I'll throw my hat into the following three rings:

• We need a Linux port.
• We need multi-factor authentication.
• Like a lot of others, I'm off to LastPass to perform some due diligence before making the switch and committing to a premium LastPass account.

sebibob

@BobCarpenter The only thing that enpass need to be perfect are browser plugins. But in security matters enpass is the better software for linux machines. Because, what doesn't work in 1password under WINE are the Lock and Clipboard-deleting features. I see the users begging for a native linux client of 1password since Nov 2010, but understand the reasons why agilebits don't spend there time with this plattform. It's now on us to elect and spend our money to the guys who take care of our whishes.

AGAlumB

Thanks for weighing in! I can get behind that: supporting a product that exists in lieu of one which does not. And while we may tackle the Linux platform someday, I certainly wouldn't expect you to put your digital lives on hold in the mean time.

RichardPayne

@sebibob

Because, what doesn't work in 1password under WINE are the Lock and Clipboard-deleting features.

Locking does work. As far as I'm aware, the only thing that doesn't is the autolock when workstation is locked option. There is an outstanding bug in the WINE bug tracker for this. The timer based auto locks do work last I checked.

I was not aware of the clipboard clearing not working. Do you have any more info on that?

AGAlumB

Indeed. I don't use it extensively under WINE, but I didn't notice problems with auto-lock.

sebibob

Ops. It seems that I have no idea. Shame on me.

Ok. What works:
-Lock after x time
-Lock after Browser shutdown
-Clipboard clearing

What doesn't work:
-Lock after suspend when I close the lid.

Please accept my apology.

Long live Agilebits. Long live 1password.

RichardPayne

Excellent, so just the one bug that's already been logged. Thanks for the follow up @sebibob .

calebwalker

@DMeans Thanks for the Lastpass mention. At least from this group we can find a software vendor that will support our platform needs. I am going to play with the free version for a little while. Getting closer to saying goodbye 1Password.

RichardPayne

@calebwalker make sure you test the mobile platform. I found it rather flakey.

AGAlumB

Ok. What works:
-Lock after x time
-Lock after Browser shutdown
-Clipboard clearing

What doesn't work:
-Lock after suspend when I close the lid.

@sebibob: No apology necessary! It's easy to get these things mixed up, especially when troubleshooting. Thanks for clarifying. :)

BobCarpenter

@DMeans Considering your valued professional skill, I would like to request to ask you if you also evaluated Enpass and how did that result for you, apart from being non-hosted and no multi-factor auth, would you recommend it to anyone looking for a cloud sync complete password manager ?

RichardPayne

I've just been having a look at Enpass. Can anyone say "1Password clone"? ;-)

AGAlumB

Good artists copy

:)

DMeans

@BobCarpenter - Enpass uses SQLCipher (pretty good stuff), AES256 (you want nothing less when using AES) and proper key stretching (PBKDF2) using 24k rounds. They'd make me a little happier if they added a random 256 bit salt to that and not mentioned the number of rounds. But in practice? Meh.

PBKDF2 is an algorithm designed to be programmatically difficult to reproduce a hash given two things: you're unaware of the number of rounds and there's a salt involved. However, we always assume the salt is discoverable, so it's the number of rounds you try to protect. In practice, both are discoverable via reverse engineering, hence we make the rounds as high as possible (tolerable during use). Given a sufficiently large number of rounds, it's going to take a long time to develop a rainbow table in order to crack your password - assuming your'e not a nation state or don't have a nice GPU rig designed for such work.

Finally, they're not keeping your encryption key or its derivative - which means they're using a sentinel to determine if the correct key has been entered. That's awesome sauce. What it means is once you enter your password, they PBKDF2 it, then attempt to decrypt a known, encrypted value using the hash. If the result of the decryption results in the known value, then you've entered the correct password. It's another best practice that keeps the key and the PBKDF2 derivative unknown, thus it's going to take an attacker additional time to prove that the right key has been discovered.

Given these findings, I'd consider using it. The only thing that would hinder me would be ease of use and compatibility - of which I know nothing about.

RichardPayne

@DMeans all of that is exactly how 1Password does it too.
Ease of use is poor. The interface is nice and works well but there's no browser integration so you're either using the clipboard of their own internal browser.

BobCarpenter

Thanks @DMeans for your valuable review of Enpass and thanks to rest of community & Agilebits here - I'll be looking forward to return to 1Password when features which matters to me have been taken care of or I have a suitable workaround in place.

DMeans

@BobCarpenter - You're welcome.

BTW, I never did make the switch to LastPass. There's just something about dumping all of my stuff into a SaaS that I have no visibility into that I can't shake. Not that putting my 1Password data into a cloud sharing service is that much better (such as dropbox). Secondly, 1Password simply affords me the access I require on multiple devices that might not have internet access.

Finally, I have to say that the OPVault design seems solid to me. Random salt, key derivation, etc., it's all there. It's one of the reasons I have difficulty making the switch to anything else. It's a nice open design that encourages reverse engineering and 3rd party validation. Just so long no one can figure out my master password, I'm safe - which is why I will continue to suggest that adding multi-factor to that bit is a requirement.

AGAlumB

@DMeans: While essentially it's a matter of personal choice, I'd say that using a cloud service like Dropbox or iCloud is a bit better because in both cases you have more control of your data. After all, you can just purge your vault from either fairly easier if you choose.

Additionally, the data is encrypted locally, before it is sent into the 'cloud'; and while I realize that LastPass may encrypt data locally as well, they're relying to a large extent on browser security when doing this in javascript. So ultimately whatever app or service we choose to use to store our data, it's always a matter of weighing the risks and benefits against our individual needs and preferences. I used LastPass myself a while back, but I ultimately stuck with 1Password because I can use it completely offline if needed (among other things).

calebwalker

The passwords I need from these programs are only when I am online anyway. When do you use them offline? And yes, agreed, I am uncomfortable putting my passwords out on Lastpass' cloud too.

AGAlumB

@calebwalker: Obviously logins are not particularly useful without an internet connection, but driver license, credit cards, memberships...I could go on and on. 1Password is effectively my wallet + filing cabinet. I keep a lot of things in there that would probably make others laugh, but it's super convenient for me! ;)

RichardPayne

Login can be useful without an internet connection in the cases of home servers or use inside a corporate network.