For the past 6 months since our initial release, we've been squashing bugs, implementing features that didn’t make our MVP and applying polish throughout. At the same time, we’ve been studying various options to provide a trial for users wanting to test Secrets before buying.
To address this need and to show users new to password managers just how easy and efficient using one can be, we're making Secrets and all its features free to use with up to 10 items. Unlocking unlimited items is done via an In-App purchase.
With Secrets we put security first. Secrets stores your data using the OpenPGP standard, a battle proven standard that has already seen a few revisions. This also allows users to easily self verify how their data is stored using third party tools.
We also strived to make it extremely simple to work with, not just from an UX perspective but also from a security perspective. Only the main app will ever handle your passphrase and encryption/decryption. Helper apps, browser extensions, etc must go trough it to get to your data (and require user confirmation).
So if you haven't tried Secrets yet now is the time! Download Secrets for Mac and iOS today.
What's the communication path between untrusted <-> trusted components look like and are you doing anything special which might prevent the vulnerabilities which Project Zero recently reported in 1Password[1], LastPass[2], Dashlane[3] et al?
No untrusted component will have access to your data without user confirmation. This means you'll always have to click a button on the main app to fill a login for example.
There are two ways in which logins are filled in the browser:
- One is based on OS X Automation and AppleScript (this will work with Chrome and Safari without our Safari App Extension enabled). Succinctly, with this solution, Secrets will execute a small JS script on your frontmost browser windows to see if there are any logins to be filled. If so, it will present you a "Fill" button. Pressing that button will execute another JS script that will fill that form. In this scenario your data is send via Apple Events.
- When you have the Safari App Extension enabled, the process is similar. But instead of Secrets actively looking for logins forms on frontmost browser windows, the extension will let it know what is available. Again you will still need to press a "Fill" button on Secrets. Once you do your data is placed on a private clipboard that the extension uses to then fill the login.
There are no local servers, and the extension doesn't have access to your data. By design, none of the linked vulnerabilities would apply.
By using an open standard to store your data besides being as transparent as possible on the storage format which you can verify on your own using third party tools (we have a post about that https://outercorner.com/2016/08/01/storage_format.html) we also benefit for the scrutiny OpenPGP as been through.
We also wanted to make a simpler and safer option (and in our eyes, more pleasant to look at) to existing password managers.
1Password's format is also documented [1], though I'm not aware of any 3rd party clients to parse/work with it. That's actually a thing I was thinking about writing (I commented about trying to write something in C++14 in another front page thread, this was it)
1Password also uses standard encryption, from the link [1]:
> We use Encrypt-then-MAC authenticated encryption everywhere we use encryption. The MAC is HMAC-SHA256 and encryption is AES-CBC using 256-bit keys. Key derivation is uses PBKDF2-HMAC-SHA512. More detail about these choices will be presented in the relevant sections on key derivation and item encryption.
> In this document we will refer to “blocks of data”. Unless otherwise stated, blocks are the length of AES blocks, 128 bits (16 bytes).
Edit: apparently Github lists [2] four libraries for reading OPVault, one each in Python, Haskell, Go and Ruby
Did you reply to the wrong parent? I wasn't making any statements about the quality of password generation.
I was replying to address two of the three points that these people invested 6 months to build YAPPM (Yet Another Proprietary Password Manager).
As is typical of developers they've solved a problem that _probably_ didn't need to be solved. With a more product orientated mindset a business plan, and some market research probably would have preceded six months of engineering effort.
The "more beautiful" is subjective, I'd argue that having only one platform targeted makes it much easier to build an app in-keeping with one platforms HCI guidelines. I happen to use a Mac, an Android phone, and a Linux desktop, thanks to WINE I can use 1Password everywhere, and knowing that the format is public, and documented, and there are 3rd party implementations I don't need to worry about AgileBits ceasing to exist.
I'm left seeing some developers making the same mistakes that I have made when building a product before finding out if the world really needs a _subtly_ different app to solve an already solved problem.
I think the developer invested nearly 6 years into it, and the comment about 6 months was time elapsed since initial release and doing the Show HN. It sounds like it was a spare time project for an indie developer.
No, I just made it clear for everyone, that open or not, data format doesn't matter as long as binary is proprietary. And I would never ever use proprietary things for critical things like password manager, even as pretty as 1password is.
Are you able to go into details about implementation, particularly around libraries used in building the iOS and macOS applications, and their pedigrees?
I'd argue that the implementation (or library) matters just as much as the standard (OpenPGP) when considering trust.
That was my first question as well. Why use something other than 1Password? And one answer may be the one time expense (Secrets) vs subscription plan (1Password).
Personally I prefer the web access and rock solid reputation of 1Password and gladly pay for it. Other than that Secrets looks fine.
I don't understand why so many password managers go through so much trouble to implement auto-fill. This one has an interesting approach that seems to be slightly less intrusive than what, say, Lastpass is doing but I still don't really see the value outweighing the cost.
Yes, auto-fill - if implemented well - can add some convenience for the user but it usually adds a significant amount of complexity to the codebase and comes with some challenges regarding security. In fact, LastPass' autofill feature is/was the root cause of some very scary vulnerabilities[1].
Copy&paste is simple, broadly understood and supported in much the same way on every single platform. And in my experience, it's really not that much slower than auto-fill.
It seems to me that most password managers these days are to tick off a list of features rather than focussing on security and usability. Mind you, Secret 2 is definitely not the best example for this - I actually quite like the clean look and simple user interface. Still, it seems like most people nowadays are judging the value of a password manager by the number of features rather than, say, security.
<shameless-plug>Padlock[2] is a minimalist, open source password manager without auto-fill, browser-integration or any other 'advanced' features. We believe that when it comes to features, less is often more, and it seems there is plenty of people agree with us.</shameless-plug>
I think it protects you against someone who's capable of sniffing your password on the wire somehow, since every login will require a unique code, and the secret is not transmitted, but you lose the benefit of "knowledge" (password) and "possession" (device, generating TOTP) being separate?
Whether you care about this depends on your threat model. If you're solving for "What if my Secrets vault is stolen by a bad actor and they're able to decrypt it?" then clearly physical possession being separate would be important.
I don't use this app, but I do use 1Password, and have thought about why I use something in addition to Keychain. What it comes down to for me is that I can keep other stuff securely in 1Password beyond just notes, and it's indexed and smart and everything. I actually find that I use it more for those other things these days. Additionally, it has had sync before Keychain had good sync, and I control it (and more importantly, can back it up on my own).
I always wonder about that when people talk about these things. I think the reason is that Keychain Access isn't well advertised and a bit obscure, so most people are simply not aware that there is already a thing that does that on every Mac, with (optional) cloud sync and a standard API used by almost everything on the system (including ssh and Safari -- and Firefox with an extension).
For one, iOS keychain won't let me see items itself, or their full descriptions. It only allows to paste Safari website passwords. At least I haven't found how to do more than that.
From screenshots, it looks like this app would let you browse your whole collection in full. So there's at least one feature.
iCloud Keychain is handy for simple use cases. But it quickly breaks down if you want to have a good password habits.
For example, I use my Apple ID to login to a bunch of different Apple sites. With the keychain that would create separate entries for each site although they are the same. Change your password and you'll end up with items with outdated passwords (which you'll only find out when you try filling them).
The keychain is also cumbersome to create items manually (imagine you need to save an SFTP or VNC login?). Furthermore how would you have access to these items on your iOS device?
You also can store more than just passwords with Secrets.
Recent versions of Keychain on OS X/macOS (and iOS I think) ask if you want to change other entries with the same username from the same domain (i.e. appleid.apple.com and developer.apple.com) when it detects a change.
I love all of these products, (this, Dashlane, etc...) but the switching costs are too high for me right now. Unless there is something that is extremely compelling, I can't justify transferring 400+ passwords just for a few features.
I'm only familiar with 1Password, but that does have an export feature to something as simple as CSV. Obviously you need to be careful about security and cleaning up after yourself, but there's no need to manually type in everything if the software you're moving to has any sort of import functionality.
1.) Because the first thing I thought was 'what's their business model?'.
2.) Because why not calling it an unlimited Trial with 10 items, to make it clear it's not free.
Don't get me wrong - I like to pay for software, because I want to honour the work of others.