1Password lack of automation
I still find it fascinating that even though there is a debate about whether the experiment was actually conducted, that the vast majority wins in setting policy for the rest of the population even when that policy does not make any common sense whatsoever.
One of the key strengths of 1Password is actually in the lack of automation in the areas where it counts - automatically filling in passwords and credit card fields. Yet Michael Ansaldo, in his own right speaking for the rest of the population is attempting to douse cold water amongst the rest of us in his narrow minded view of what constitutes a secured password manager and what "convenience" features must absolutely not be forsaken in the name of security.
Clearly, his bottom line, "1Password is a capable password manager, but it’s lack of automation, even if it’s for security reasons, is disappointing considering that’s one of the very features for which these tools are prized." lays out his priorities.
While I am all too clear on the pitfalls of auto filling in forms particularly in an example where a hacker has taken over a sites domain via DNS poisoning or other sinister means, I would probably commit a sacrilegious act by asking if the 1Password team would consider putting in an option just so that the rest of the monkeys don't beat up on 1Password for not automating things.
Thoughts?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
@laugher: Ah, I thought that was interesting too. 1Password is first and foremost meant to help people secure their digital lives. So I'm not sure where this "automation app" idea came from originally. Certainly we do some of that, but when I read that term I think of things like Automator on macOS and Workflow on iOS. I have to admit that your monkey example went over my head at first, but after some thought I think that's a rather salient point.
One of the key strengths of 1Password is actually in the lack of automation in the areas where it counts - automatically filling in passwords and credit card fields.
Couldn't agree more, and I think that really sums it up very nicely. While 1Password does have some "automation" capabilities (though that may be laughable to the folks who make serious use of my earlier examples), security is really the cornerstone and any features we add need to be carefully planned an executed with that in mind. While some folks may value automation above all else (and, frankly, it's their prerogative to do so), our focus is for 1Password to let us control where our sensitive information is filled.
It sounds like because some password managers (or browser features) focus on this heavily, it's become a standard "password manager" function in some people's minds. I agree that we have room to improve in this area, but we're always cautious as we don't want to squander the trust that many 1Password users have in 1Password not to do these things. It's an interesting conversation either way, and I'm interested to hear what others think. :)
0 -
Thanks @brenty for your input.
The problem in the way I see it is that everyone from the Dev's in competing products to freelance journalists who probably shouldn't be rating products at all with little to no understanding of what they are talking about can be empowered to declare what is best for the rest of us.
Shouldn't a standards body be formed to guide industry and layman thinking? What we need is a guiding body or standards committee that helps industry, government and private citizens understand our security landscape and what we should be adopting as best practice.
Is there an security standards body that outlines best practices and minimal standards in products today? I don't really think so or that if it exists, it's fragmented.
Perhaps the Common Criteria although the CC is limited in its breadth of coverage and does make some attempt to list products that they approve but not clearly state what principles were used to gain their acceptance. It is also very government centric. If we were all living by its standards, we would be severely limited in choice. Not to mention, some of the tools they list aren't exactly applicable for the everyday working Joe and the fact that they don't even list password managers from my brief check is a clear sign that something better needs to be in place.
Looking away from government while keeping in mind each have their own national security and cyber defense capability that they would prefer to keep in house, organizations that seem to be producing security products including AgileBits seems to be doing all sorts of things, including innovating on their own accord. So it falls to the layman to interpret what is best which isn't always ideal. I use 1Password because I come from a security background and I actually understand enough of what you folks are doing to know that at this bracket, your product is made with the right mindset and principles and that your leadership and devs understand and are passionate (or appear to be) about its strengths.
While thinking about certification, my attention turned to education and my memories of sitting in the CISSP training from ISC2 or CISM training that is run by ISACA. These folks were trying to standardize things from a training and certification perspective and may actually be the closest thing to a set of guiding standards but it still leaves a lot to be desired. Some of their principles are quite broad and can be easily misinterpreted. Their interest seems to be more around creating their own community through participation in training opportunities. SANS is very similar.
Where's the IEEE equivalent body for security and what a password manager should and shouldn't have? There isn't one.
While AgileBits leads a very active security community, this community is generally isolated to its customers. To provoke further thought and development in the matter, maybe it's time AgileBits take a lead in this space?
0 -
@laugher: Well, I think everyone is entitled to their opinion. If the person reviewing a product has specific expectations going into it, it's hard to set that aside even if it's something they're aware of. And someone who thinks of a password manager as an automation tool almost exclusively will view it through that lens. I think that's fair. But I do agree that it's less helpful to others, who either won't get a good sense of the security benefits of using a password manager or will think that it just doesn't matter.
IEEE does great work, but laypeople don't pay any attention to organizations like this, so I'm not sure thats the right solution. While I think there's always more that can be done, we put a lot of information out there on our support site and blog and there are some fantastic resources out there from both security professionals and academics.1
We live in exciting times, with so much information readily available. The hard part is that people have to care about security to take advantage of this. Unfortunately often the only way things like this get attention are when they impact someone's life, but the good that comes out of the security breaches we frequently see (and the things going on in politics) are that news coverage increases awareness and interest in folks who didn't pay attention to these things previously.
-
Crypto101 and the Applied Cryptography course are great (free) general resources, and our security white paper has information specific to how 1Password.com works. ↩︎
0 -