Cannot use sudolikeaboss with 1Password 6.8.1

2»

Comments

  • svoop
    svoop
    Community Member

    To bring this thread back to where it started: Are there any news concerning this suggestion by @brycekahle (who is trying to bring "sudolikeaboss" from websockets to native messaging)?

    September 14
    I would be happy to obtain a code signing identity from Apple and sign the sudolikeaboss binary.

  • bundtkate
    edited October 2017

    @svoop: Looking at our issue tracker, it doesn't look like we have any news to share at present, but I do see this comment from Jeff Goldberg indicating we've shared some additional info in hopes of getting things working so it looks like there's an ongoing dialogue here.

    I'm not super familiar with sudolikeaboss, so please forgive me if I'm providing a useless suggestion here, but it looks like some who were using it have found our new CLI tool to be of use as well so feel free to give that a gander. :chuffed:

  • 2bithacker
    2bithacker
    Community Member

    Am I correct in thinking the new CLI tool is only able to access online vaults? I'm not a huge fan of online password storage, and keep my stuff in a local vault.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Am I correct in thinking the new CLI tool is only able to access online vaults?

    @2bithacker: Yes, that is correct.

    I'm not a huge fan of online password storage, and keep my stuff in a local vault.

    We aren't either, and that's why we don't store anyone's passwords — including our own; the server only ever gets encrypted data. As with any other version of 1Password, encryption is done locally on the device, and the "keys" to the data are never transmitted to us. That way only you ever have the means to decrypt it. That's good news because it means you're literally in control of your data: an attacker will have to get your Master Password from you in either case — and they might as well get your vault from you as well while they're at it. So 1Password doesn't ever depend on the relative "security through obscurity" of local vaults now any more than in the past. Cheers! :)

  • 2bithacker
    2bithacker
    Community Member

    That all sounds fine, assuming the encryption is solid and nobody can ever brute force the Master Password. I feel safer knowing my data isn't out there, even in an encrypted form. I don't think "security through obscurity" applies here, it's security through not-putting-my-data-out-there-in-the-first-place.

    More and more it's sounding like it's time to investigate other password storage options. :(

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited October 2017

    That all sounds fine, assuming the encryption is solid and nobody can ever brute force the Master Password.

    @2bithacker: Indeed. Fortunately if someone steals the encrypted data from 1Password.com, they won't be able to perform a brute force attack against your Master Password, as your (128-bit, randomly-generated) Secret Key is also needed to decrypt the data. So, quite literally, regardless of what "flavour" of 1Password you use, an attacker would have to target you to be able to get both your data and the keys to it.

    I feel safer knowing my data isn't out there, even in an encrypted form. I don't think "security through obscurity" applies here, it's security through not-putting-my-data-out-there-in-the-first-place.

    We may have to agree to disagree on that point, but honestly I wouldn't be comfortable depending on no one being able to get ahold of any of my devices — or me — if they really wanted to. Having data stored only locally is only beneficial if 1) it isn't secure otherwise and 2) no one can get to it there.

    Feeling safe is good, but i've been in too many situations where I've felt safe and wasn't. So 1Password is built on actual security. Certainly we want you to feel safe too, so we put a lot of effort into explaining how all of this works — not only one-on-one with customers, but in our security whitepaper, knowledgebase, and blog.

    And, rather than relying solely on ourselves to vet 1Password's security, we also participate in external audits and cooperate with independent security researchers to find any flaws so we can fix them.

    More and more it's sounding like it's time to investigate other password storage options. :(

    I hope you will. And I mean that sincerely. I think a lot of people say stuff like that out of frustration but never follow through, and that doesn't help anyone. It's good that there's competition in this space, since we don't want anyone to feel stuck: We want happy customers, not trapped ones. If 1Password isn't a good fit for you for whatever reason, we'd rather you use something else than nothing at all. Stay safe out there! :blush:

  • svoop
    svoop
    Community Member

    @bundtkate I prefer to keep my passwords stored locally, so the "op" CLI tool is not option. Agile obviously has a different vision on storage, but since you claimed in the past that customers won't be forced into the cloud, giving the makers of "sudolokeaboss" a hand would be a great way to underpin this.

  • thorhs
    thorhs
    Community Member

    @bundtkate I just wanted to add that I too miss having sudolikeaboss. I purchased 1Password largely due to the convenience of using it on a daily basis. Don't get me wrong, I love 1Password, but this has severely impacted my day to day operations.

    I wouldn't mind having to switch to 'op', but having it rely on the cloud is a no-go for me. I'm unfortunate in the rerard that I work for a company that is mandated to inspect all network tracffic, so company wide 'MitM' is mandatory. 'op' does not support other SSL CAs, so it does not work for me. (see https://discussions.agilebits.com/discussion/comment/391499#Comment_391499 for explanaitons).

    Please, either work with the sudolikeaboss authors, or get 'op' working locally. I assume you have no problems signing your own tools.

  • Lars
    Lars
    1Password Alumni
    edited October 2017

    @svoop and @thorhs -- We've not only "claimed in the past that customers won't be forced into the cloud," we've stated flat-out on our blog that both standalone licenses and local vaults will be an option in the upcoming 1Password 7:

    With this release, we finally have enough visibility to chart a course for the future, so we’re happy to announce that standalone vaults will be an available entree on the menu in 1Password 7 for Windows. 1Password 7 will be free with your 1Password membership, but if memberships aren’t for you, paid licenses will also be available.

    What we haven't ever claimed or promised, to my knowledge, is that any particular feature or (especially) external tool will be created or reworked to suit the needs of a particular person or group of users. We always take feedback and requests into consideration, and we appreciate the passion of the group of sudolikeaboss users in this thread whose company restrictions or personal choice not to use a "cloud-based service" means they're impacted by our decision not to work with unsigned software any longer, and as @bundkate mentioned in a previous reply, discussions with the team at sudolikeaboss are ongoing.

    Our overall goal remains what it's been since the beginning: to make the best password manager we can make, for as many users as possible. We feel very proud to have succeeded to the degree we have in doing that over the last eleven years, but we recognize we are not the only solution out there -- and that's a good thing! As @brenty said earlier in this thread, if it ever gets to the point where your particular use case for password management, combined with your must-haves and won't-dos in other areas, add up to another solution better suiting your needs, we'll be happy as long as you continue to use some form of password management.

  • brycekahle
    brycekahle
    Community Member

    discussions with the team at sudolikeaboss are ongoing

    I have yet to receive any direct communications from AgileBits. I'm very much willing to create and sign an app bundle, but I do not want to pay the $99/year Apple developer account fee without confirmation from AgileBits that they will add the signature.

  • Lars
    Lars
    1Password Alumni

    @brycekahle - thanks for that update; I wasn't aware you hadn't heard from anyone yet. I know the plans to discuss this have been ongoing, but let's see if we can expedite things, based on your reply. Unfortunately, it is a holiday Monday both in Canada and the USA, so although I've pinged the Mac team explicitly regarding this, you may not get a reply immediately. However, I'll make sure this moves forward to some resolution. Thanks for your patience.

  • Good afternoon Bryce,

    Thanks for circling back to us here. I’m sorry that we’ve dropped the ball on getting back to you. We really appreciate your interest in getting 1Password and sudolikeaboss back on speaking terms.

    Let me lead off with the decision we’ve reached about whitelisting a signed version of sudolikeaboss and allowing it to communicate with 1Password over native messaging: This is not something we’re going to do.

    Our move away from web sockets and towards native messaging has been all about drastically increasing the security of the communication between 1Password and third party web browsers, as well as making sure that we can verify and vouch for those browsers.

    This puts us in a tight spot with a tool like sudolikeaboss. For a long while sudolikeaboss has worked with 1Password as a happy accident. With the combination of it masquerading as Chrome and an advanced 1Password feature that let customers opt into an insecure mode of communication it was able to carve out a niche, and an admittedly useful one. However it also highlighted something that we weren’t completely comfortable with.

    When we began the work to move to native messaging we knew we had to take a harder line on enforcing secure communications with web browsers to ensure the safety of our users.

    In conjunction with this move we have been making some excellent advances with our own command line tool. We know it doesn’t fulfill everyone’s use case but we have gotten some great feedback on how we can continue to improve it.

    So where does this leave a tool like sudolikeaboss? In the short term our answer has to be that if you rely on sudolikeaboss in your workflow that you’re better off sticking with version 6.8.0 for now. However, we have some plans to help get sudolikeaboss and other tools like it back to working with 1Password in a way that we’re completely comfortable with.

    When we have something to show you, Bryce, we’ll get in touch to give you a preview.

  • Lawdawg
    Lawdawg
    Community Member

    Hi @MrRooni - I'm grateful for the high standards of security. I would also like to vote that a solution for this is a high priority.

  • Cheers @Lawdawg, I appreciate the response. sudolikeaboss is an important tool and I'm excited about what we're planning for the future.

  • squarecandy
    squarecandy
    Community Member

    First:
    Want to echo others' applause for your high standards of security and to also put in my vote for getting some tool that works with the command line going soon. Would be fantastic if it were built and supported by AgileBits. We all love sudolikeaboss, but it's always been a bit of a workaround.

    Second:

    In conjunction with this move we have been making some excellent advances with our own command line tool. We know it doesn’t fulfill everyone’s use case but we have gotten some great feedback on how we can continue to improve it.

    Where can we find more info about this?

  • smoore
    smoore
    Community Member

    I'm really looking forward to 1P actually working with @brycekahle to get this resolved in a positive manner (op cli is not a solution for us, rollback is not a solution for us). Over many months, the message threads show a lot of appreciation from 1P and regret for dropping the ball, but not sure if that translates to commitment. If I could buy this feature today ...

  • svoop
    svoop
    Community Member

    Thanks a bunch @MrRooni for the tech update and the effort to continue support for third party tools. Big thanks to @brycekahle as well for adopting "sudolikeaboss".

    Let's see what the future brings. As a workaround for now, I'll fall back to the OSX keychain via iterm2 in order not to block the upgrade path for both 1P and OSX.

  • khad
    khad
    1Password Alumni

    That sounds like a fine idea. :+1:

    For what it's worth, I've been really digging the new 1Password command-line tool. If any part of the documentation I wrote for it isn't clear, let me know.

    And I know I won't persuade some folks, but for anyone on the fence about a 1Password membership (that includes a 1Password account), I'd encourage you to at least read About your Secret Key if not the full 1Password Security Design White Paper [PDF]. No other password manager offers the protection afforded by what we call Two-Secret Key Derivation. The Secret Key isn't a mere authentication factor; it actually strengthens the encryption. So even with a lousy Master Password, you're starting at 128 bits of entropy.

  • Ralnoc
    Ralnoc
    Community Member

    The primary feature that I think most people want in the CLI tool is to mimic what sudolikeaboss did. Having it register securely with the local agent, just like the chrome plugin does, gives us the pop-up for matching passwords based on the identifier assigned to the cli tool and then when you select the password, injects it into the terminal window. It is actually this offering from sudolikeaboss that got be to purchase a subscription with 1Password. The current implementation of the cli tool actually offers me no benefit over just having the application running. I still have to change to a different window, copy and then paste the password into the terminal.

    What is the likelihood that this CLI tool will be expanded to offer that feature set?

  • Lars
    Lars
    1Password Alumni

    Welcome to the forum, @Ralnoc! We're not surprised to hear what people would like in a CLI; sudolikeaboss definitely filled a niche for a subset of our users. And while I'd love to be able to give you a roadmap for future development, if you're in - or have ever been in - software development, you know it really doesn't work that way; too many factors come into play to make predictions about what will happen or what will see the light of day. I can tell you (as @khad did as well), we're all pretty excited about the new CLI, so I'd be surprised if it didn't see more refinement and developer attention over the coming months. Thanks for letting know what you'd like to see out of it, and stay tuned!

  • eroux
    eroux
    Community Member

    While we all home for an "official" solution, most of us can't afford to wait indefinitely for that.

    So, until AgileBits give us an alternative, there is always peacetara's slab

    I can give it the only valid endorsement I can: Like 1Password, "It works for me".

  • Lars
    Lars
    1Password Alumni

    @eroux - thanks for the suggestion for users who find themselves in a similar situation!

    I want to offer a note of caution, however, because while a lot of us here come from a tradition of do-it-yourself, create-your-own-solution approaches to our own digital situations, from a developer perspective we always worry a bit when we see too many eggs getting put in a non-supported basket. On the one hand, we're glad to see users thinking up innovative ways to use 1Password under conditions or for purposes it was not originally intended (or supported). But we also know from past experience that when it comes to things we don't for one reason or another officially support, what works today may not work at the next update due to changes we've made, and then no one's happy.

    When that happens, we wind up with some quantity of disappointed users (and there's very little we loathe more than disappointing our users). But more importantly, that group of people who'd come to depend on that particular DIY solution are left scrambling because their chosen setup simply stopped working overnight. We're always sorry to hear when anyone has a less-than-awesome experience with 1Password, but at the same time, we can't take accountability for unsupported uses of our software either. That's why I issue a note of caution about such things: because the tinkerer in me wants to cheer that members of our community have blazed a new trail and come up with a neat solution to a problem, but the 1Password employee in me worries that people will come to depend on an unsupported method that may or may not continue to work tomorrow the way it does today.

    In short, thank you for caring enough to come here and share with others what's working for you. We're very glad to have such an engaged user community, so thanks for being a part of it. :)

  • charliwest
    charliwest
    Community Member
    edited July 2018

    @Lars I understand what you mean, in much the same way sudolikeaboss stopped working, so might slab. Also I am not super keen to give my password to an "unknown" project...but if 1Pw won't give us a good solution to this issue we need to work around it in unknown and possibly unsafe ways. If 1Pw would step up this would all go away as a problem

  • AGAlumB
    AGAlumB
    1Password Alumni

    @charliwest: You should check out our CLI app. ;) Khad mentioned it earlier, and it's evolved since then as well:

    1Password command-line tool: Getting started

    Cheers! :)

  • charliwest
    charliwest
    Community Member

    Hi @brenty, can it pass my 1Password stored passwords into a terminal with a keystroke? From looking, albeit briefly, at the docs it doesn't seem to have that function.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @charliwest: A single keystroke? No. :lol: I'm not sure why you'd want to dump your passwords into Terminal, but you could using jquery to filter the JSON, from op get item <UUID> for a single item, etc., as an example. :)

  • charliwest
    charliwest
    Community Member

    OK so the point of sudolikeaboss @brenty was when you sudo in terminal and the system asks for your password you do a key stroke and the 1Password prompt would come up and you could select a password and it would paste into the terminal. This was an amazing tool if you administer many machines and have to sudo a lot, or if you su - user and have a bunch of different users. Thats why I would like to "dump" my password into terminal

  • AGAlumB
    AGAlumB
    1Password Alumni

    @charliwest: Ah, okay. Thank you for clarifying. When you said "pass my 1Password stored passwords [plural] into a terminal" I almost had a stroke. That makes more sense. :lol:

    This isn't quite what the CLI app is designed for. It's meant to be a full-fledged 1Password client with item creation, access, editing, and a whole bunch of stuff that it wouldn't be reasonable for a GUI app to do. We haven't really had people advocating for your specific use case, so if you give it a try we'd love to hear your feedback on it:

    1Password CLI (beta) forum

    Either way, thanks for checking it out. :)

This discussion has been closed.