1Password vs OS X Keychain

My good friend is adamant that Keychain Access already provides the functionality of 1Password just without the nice GUI.

Is he right??????

He says this:

1Password may be useful for some people because of its nice interface and because they have simple computing requirements. In the following I summarize why it does not (yet?) apply to me.

Aging algorithm: I do not store banking passwords in the keychain but rather in a secure note inside the keychain. There, I don't spell out the password but describe it in words in a foreign language. As it stands now, it is still cumbersome for a casual hacker to crack the current algorithm.

Forms function: I found that for myself, filling in forms by typing is easier than auto-fill, then check and then correct. It is possible that for people with only one address and one email and two telephone numbers (I have 3, 3 and 7) it works well and maybe 1Password has a nice algorithm and it works better than Safari's built-in. But I would always have to go back and check. This can take as much time as the actual typing.

It is also nice to share passwords across browsers. I hate the way Firefox does it because I have to type a master password every time I launch Firefox. But I use Safari for most of my browsing and therefore the issue is not very big.

Having keychain compatibility with Windoze would be nice because I need it for testing FileMaker, accessing a defunct database and for browsing in IE. At work I use terminal server or an actual workstation and at home I use CrossOver (Wine) which works astonishingly well. 1Password will in most likelihood not work in the latter because it is not a full-blown Windows environment.

Running yet another process when you already have one running is adding another resource. Therefore its advantage needs to be compelling. Such as the resource that remaps the MacBook Enter key to an Option_Right. I use this key several times a day.
This additional process needs to integrate with other programs and has thus theoretically more of a chance to make a program or the OS unresponsive. Maybe it is coded well though.

Does 1Password grab all passwords that keychain does? That is, including AFP and SMB mounts? Including those for Microsoft TerminalServer? These are probably not instances a casual user encounters a lot. But we do at work and I would go crazy if I had to type these several times a day.

And, most importantly: Does the syncing over Dropbox allow for two computers to simultaneously write to their respective keychain files? While I am not using my computers simultaneously, I do not log off of them when I leave home or work. Meaning that the keychain is constantly running and potentially updating.
Dropbox uses an easy-way-out approach to this dilemma: if one file is written to by computer A but has also been updated by computer B, Dropbox will create a new file on computer A and suffix it with "created by Computer B on Date and Time". This is maybe OK for a file that you access directly but it is not at all acceptable for settings files such as the password ones.

As an example, I am using an encrypted sparsebundle disk image to make Dropbox more secure. A sparsebundle breaks the one monolithic disk image file into 8-MB segments which eases backup and synchronization because rather than copying the entire 250 MB, just the 8 MB that have been changed need to be copied.
If I forget to unmount this disk image at work and start using it at home, Dropbox creates disk slices with the aforementioned suffixes. These new files are ignored by the disk image program and hence I lose information. I suspect the same will happen with 1Password.

And this is probably the reason why so many people have a problem with the way Apple syncs: Apple is doing something that very few companies offer: live sync between computers that are all in active use. This could also be the reason why the keychain "grows". Because it incorporates all changes from all connected computers (in my case: 5-6).

Apple is doing a wonderful job. But it is tricky to achieve that, and it can break. BTW: my keychain has never grown to a point where it was too big or too slow. It angers me that 1Password claims that Apple's approach of non-file based keychain syncing is bad. They obviously did not do their homework right. If all they can offer is Dropbox or the likes, I don't want to be in their shoes when people call them and complain about passwords that never synced.

If Apple kills keychain syncing or if it fails to update keychain to include a new algorithm, I will be sorry to move away from something that is just there, that does not require updating and that just works. But I will do it.

Michèl

Comments

  • thightowerthightower T-Dog Agile's Mascot
    edited July 2011
    rosswell wrote:

    If Apple kills keychain syncing



    Ill let khad or one of the other admins answer the details about the keychain specifics as they deal with it on a daily basis.

    But in regard to your specific point above, Keychain syncing is dead or rather dying. It will no longer sync once mobileme ends.

    http://www.apple.com...transition.html



    What happens to the other sync services I use for my Mac?

    Syncing of Mac Dashboard widgets, keychains, Dock items, and System Preferences will not be part of iCloud, but will continue to be available for you to use until you move to iCloud. After you move to iCloud or after June 30, 2012, whichever comes first, those sync services will no longer be available. Other MobileMe services that are not transitioning to iCloud (iWeb publishing, Gallery, and iDisk) will continue to be available through June 30, 2012, even after you move to iCloud.



    So maybe file based keychain syncing is better and Apple knows this, I dunno as I am surely out of my league and really have no clue which is better. But Apple wouldn't kill it off for no good reason. Just my pure speculation on this part.


  • thightowerthightower T-Dog Agile's Mascot
    edited July 2011
    And, most importantly: Does the syncing over Dropbox allow for two computers to simultaneously write to their respective keychain files? While I am not using my computers simultaneously, I do not log off of them when I leave home or work. Meaning that the keychain is constantly running and potentially updating.


    Yes the Dropbox syncing will work without you logging off of one machine or the other. my self and the wife sometimes both sit in the same room, on each of our respective Macs and use/edit 1Password at the same time.


    1Password keychain is actually a very large collection of smaller items and the likely hood of the exact same thing being edited at the same time and same exact instance are super slim. Even if this were to occur 1Password has a built in conflict resolver.

    The most common cause of the conflict resolver appearing in my experience is during a iPhone or iPad sync when the user may not have let the sync finish and elected to start over from scratch etc.


    Honestly I very seldom if ever see the resolver, I almost thought it didn't work. But about 2 months ago I saw it for the first time in nearly a year. It happened because I aborted a keychain sync on my iPhone. I only had to resolve 6 items, and not the entire keychain out of about 1200 entires, not bad
  • khadkhad Social Choreographer

    Team Member
    edited August 2011
    Thanks for asking about this, Michèl!

    1Password may be useful for some people because of its nice interface and because they have simple computing requirements. In the following I summarize why it does not (yet?) apply to me.

    I'd like to think that everyone can benefit from a nice interface and simplified computing experience. Imagine if you had to memorize the commands to resolve a DNS query, request an HTTP header, download a web page, and render the code in your head rather than having your web browser display the page located at the URL you type into the address bar. Not really my idea of fun. :-)

    Likewise, 1Password makes the task of using a different strong password for every site you visit simple. It also automatically fills credit card and address information to make online shopping easier.

    Aging algorithm: I do not store banking passwords in the keychain but rather in a secure note inside the keychain. There, I don't spell out the password but describe it in words in a foreign language. As it stands now, it is still cumbersome for a casual hacker to crack the current algorithm.

    This seems incredibly inconvenient to me and doesn't add any real security. 1Password strongly encrypts your data and only decrypts a single bit of information at a time. At no point is the entirety of your data available in the clear.

    From the moment we designed the Agile Keychain data format we ensured that it was able to withstand an attack should your data fall into the wrong hands. As such, we use 128-bit AES encryption to protect your sensitive 1Password data as well as many other mechanisms to stop an attacker from ever accessing your information and we detail this here:

    http://help.agilebits.com/1Password3/cloud_storage_security.html

    So, as long as you use a secure master password that you don't use elsewhere, your 1Password data is incredibly safe even when stored on a service like Dropbox. If you're not sure about the strength of your master password, please do take a look at our recent blog post on this:

    http://blog.agilebits.com/2011/06/toward-better-master-passwords/

    Forms function: I found that for myself, filling in forms by typing is easier than auto-fill, then check and then correct. It is possible that for people with only one address and one email and two telephone numbers (I have 3, 3 and 7) it works well and maybe 1Password has a nice algorithm and it works better than Safari's built-in. But I would always have to go back and check. This can take as much time as the actual typing.

    I have never seen anyone fill out an entire form faster than pressing one key combination on the keyboard. I think this may be a world record! A quick glance at the form to verify it is much quicker than typing it all in, but perhaps I just don't know any world-record-setting typists or speed readers. <img class=" />

    It is also nice to share passwords across browsers. I hate the way Firefox does it because I have to type a master password every time I launch Firefox. But I use Safari for most of my browsing and therefore the issue is not very big.

    This is a personal preference, but most people I know use more than one browser. 1Password will sync across Safari, Firefox, and Chrome on the Mac and Internet Explorer, Firefox, and Chrome in Windows. This brings us to the next point…

    Having keychain compatibility with Windoze would be nice because I need it for testing FileMaker, accessing a defunct database and for browsing in IE. At work I use terminal server or an actual workstation and at home I use CrossOver (Wine) which works astonishingly well. 1Password will in most likelihood not work in the latter because it is not a full-blown Windows environment.

    The OS X keychain does not sync with mobile devices or any other platforms. We fully support 1Password for Windows in its native environment and many users (myself included) use 1Password for Windows under WINE in Linux environments. This is not supported, but aside form browser integration, it works great.

    Running yet another process when you already have one running is adding another resource. Therefore its advantage needs to be compelling. Such as the resource that remaps the MacBook Enter key to an Option_Right. I use this key several times a day.
    This additional process needs to integrate with other programs and has thus theoretically more of a chance to make a program or the OS unresponsive. Maybe it is coded well though.

    The background process (1PasswordAgent) uses 0% CPU and only 16 MB of RAM while idle on my machine. (I just glanced at at.) That's less than half a percent of the total RAM on a modern machine with 4 GB. It has been hammered on for years now and is rock solid.

    I'm beginning to think your friend has never used 1Password and is basing all of this on some imaginary version of it. :-)

    Does 1Password grab all passwords that keychain does? That is, including AFP and SMB mounts? Including those for Microsoft TerminalServer? These are probably not instances a casual user encounters a lot. But we do at work and I would go crazy if I had to type these several times a day.

    1Password interacts only with your web browsers for filling forms online. The Mac OS X keychain is the lingua franca for Mac developers to have their applications store sensitive data such as usernames and passwords. We don't want to replace this functionality. We want 1Password to be the lingua franca for how users interact with forms on the internet. You can store a record of your applications' usernames and passwords in 1Password, but you would need to copy and paste the passwords manually.

    Likewise, 1Password for Windows includes direct integration only with web browsers, but you can use the "auto-type" feature to fill username and password fields in many non-browser applications.

    (continued)
  • khadkhad Social Choreographer

    Team Member
    edited July 2011
    (continued)

    And, most importantly: Does the syncing over Dropbox allow for two computers to simultaneously write to their respective keychain files? While I am not using my computers simultaneously, I do not log off of them when I leave home or work. Meaning that the keychain is constantly running and potentially updating.
    Dropbox uses an easy-way-out approach to this dilemma: if one file is written to by computer A but has also been updated by computer B, Dropbox will create a new file on computer A and suffix it with "created by Computer B on Date and Time". This is maybe OK for a file that you access directly but it is not at all acceptable for settings files such as the password ones.

    Dropbox does handle all the syncing and conflict copy creation. 1Password handles the conflict resolution (gracefully, if I do say so myself).

    As mentioned in the aforelinked documentation, Dropbox syncing is so fast, though, that conflicts are very rare.

    As an example, I am using an encrypted sparsebundle disk image to make Dropbox more secure. A sparsebundle breaks the one monolithic disk image file into 8-MB segments which eases backup and synchronization because rather than copying the entire 250 MB, just the 8 MB that have been changed need to be copied.
    If I forget to unmount this disk image at work and start using it at home, Dropbox creates disk slices with the aforementioned suffixes. These new files are ignored by the disk image program and hence I lose information. I suspect the same will happen with 1Password.

    A 1Password data file is also a bundle, but the information is not lost. 1Password's Sync Conflict Resolver handles the conflicted copies of the bits of data for which conflict copies have been created.

    As a side note, our other product, Knox, creates .sparsebundle encrypted disk images, and you might want to tell your friend how risky it is to sync them via Dropbox. Not only can you lose changes as described but the whole encrypted disk image can become corrupt and unreadable.

    We strongly recommend against storing .sparsebundle files in your Dropbox folder.

    And this is probably the reason why so many people have a problem with the way Apple syncs: Apple is doing something that very few companies offer: live sync between computers that are all in active use. This could also be the reason why the keychain "grows". Because it incorporates all changes from all connected computers (in my case: 5-6).

    As I mentioned, and as described in the Sync Conlict Resolver doc, 1Password's data file is a bundle. Only items that have actually been edited are synced rather than a single monolithic file. This dramatically reduces sync conflicts and errors. Syncing a byte or two happens much more quickly than a late multi-metagbyte file. This is one of the many advantages the Agile Keychain Format has over the OS X keychain. You can find a more complete comparison in the 1Password User Guide along with the history of why we created the Agile Keychain Format.

    Apple is doing a wonderful job. But it is tricky to achieve that, and it can break. BTW: my keychain has never grown to a point where it was too big or too slow. It angers me that 1Password claims that Apple's approach of non-file based keychain syncing is bad. They obviously did not do their homework right. If all they can offer is Dropbox or the likes, I don't want to be in their shoes when people call them and complain about passwords that never synced.

    I'm not sure what you mean by this. Support issues have actually dropped off exponentially since we switched away from using the OS X keychain format. The Agile Keychain Format is much more robust when it comes to syncing. As Tommy mentions above, even Apple is discontinuing OS X keychain syncing.

    If Apple kills keychain syncing or if it fails to update keychain to include a new algorithm, I will be sorry to move away from something that is just there, that does not require updating and that just works. But I will do it.

    Well, thankfully the alternative is Something That Just Works as well. It even works with more than one account per site. It even works with websites that block form filling in Safari. It even works across different browsers. It even works across different platforms. It even works to generate strong passwords right in the browser as you sign up for services. It even works on iOS, Android, and Windows Phone 7.

    That's a lot of work. :-D

    And 1Password can work for you too.

    If we can be of further assistance, please let us know.

    We are always here to help!
  • Wow, I had not checked back here for a while.

    Thank you very much for the exhaustive analysis and response to my friend's comments.

    I think this information, though much of it above my head, will be good to have set down, for the use of future people with such detailed concerns/questions.

    For myself, I am becoming more and more addicted to the simple, even fun use of 1Password. I could never call Keychain Access "fun".

    Also, the notes, attachments, keywords, custom preview icon, double-click to launch site -- those I believe are unique to 1P and not KA.

    Thanks again

    Rosswell
  • MikeTMikeT Agile Samurai

    Team Member
    rosswell wrote:

    Wow, I had not checked back here for a while.

    Thank you very much for the exhaustive analysis and response to my friend's comments.

    I think this information, though much of it above my head, will be good to have set down, for the use of future people with such detailed concerns/questions.

    For myself, I am becoming more and more addicted to the simple, even fun use of 1Password. I could never call Keychain Access "fun".

    Also, the notes, attachments, keywords, custom preview icon, double-click to launch site -- those I believe are unique to 1P and not KA.

    Thanks again

    Rosswell
    Hi Rosswell,

    On behalf of Khad, you’re welcome.

    That’s one of the reasons that people use 1Password, because it is a pleasure and easy to use compared to other password managers.
This discussion has been closed.