MacInTouch Amazon link...

password managers (and 2FA)

I do not know which app has the problem.
Your original post mentions having restarted both apps (and the iPad as well), but it doesn't mention whether you've tried reinstalling either or both. If you are using 1Password in a strictly standalone capacity, I can easily see how that would be a problematic proposition.

But assuming that you have a way to sync the 1Password data and haven't already tried a reinstall, that would be what I would try next.
 


To reiterate, the 1Password 7 extension works fine, except that it's $60/year for a family plan. It's the 1Password 6 extension that has been the subject of this thread. Agilebits hasn't (and won't) write an update to that extension work with Safari 13. If you manage to reinstall Safari 12, the 1Password 6 extension still won't work, because the Safari 12 installer doesn't get rid of (unknown) Webkit components that prevent the old extension framework from functioning.
Correct. Thanks! I found this out with Safari 13. I have 1Password 6.x and paid for the app. I refuse to "subscribe" for it now. But at least it (1Password 6 extensions) works with Firefox 70 and Chrome (which I prefer).
 


But at least it (1Password 6 extensions) works with Firefox 70 and Chrome (which I prefer).
I am unable to get Firefox 70 to work with 1Password 6 (v6.8.9) and extensions. The icon appears in the Firefox menu bar but otherwise does nothing. Which version of the extension are you using?

Everything works fine in Safari 12 (v12.1.2).
 


I am unable to get Firefox 70 to work with 1Password 6 (v6.8.9) and extensions.
1Password 6 Version 6.8.9 (689001)
Firefox 70.0.1
1Password extension 4.7.5.90
Works fine here. It broke after a recent update to Firefox, or possibly Catalina, but reinstalling extensions from 1Password6 > 'Install Browser Extensions...' fixed it.

This has happened to me in the past when Firefox went through a major update that broke extensions.
 


1Password 6 Version 6.8.9 (689001)​
Firefox 70.0.1​
1Password extension 4.7.5.90​
Works fine here. It broke after a recent update to Firefox, or possibly Catalina, but reinstalling extensions from 1Password6 > 'Install Browser Extensions...' fixed it.
This has happened to me in the past when Firefox went through a major update that broke extensions.
Thanks. Those version numbers match what I have. I tried it again. It downloaded the extension, put up dialogs about installing, and then completed. As before, the icon appears but left-clicking does nothing. Right-clicking brings up a contextual menu.
 


Our family is happily using Codebook across our macOS and iOS devices. It syncs through Dropbox or Google Drive, though sadly there is no support for iCloud - which makes sense, since iCloud isn't really meant for shared (family) use.
 


Our family is happily using Codebook across our macOS and iOS devices. It syncs through Dropbox or Google Drive...
Thank you! I should point out, there is one more huge option, as I discovered when I excitedly visited their site: it also supports local wifi syncing. No cloud needed! For security, it is impossible to do better than that.

The only downside I can see is that it does not support browser extensions for auto-filling information on the desktop or on Android (though I don't use the latter) – further proof that the perfect password manager still does not exist.
 


The only downside I can see is that it does not support browser extensions for auto-filling information on the desktop...
While it doesn't have browser extensions, it apparently has a feature called "Secret Agent" – mentioned on page 20 of the manual – that at least partially makes up for the lack of a traditional extension. I'm not entirely clear on how it works without seeing it in action, but at least I won't be writing Codebook off before I have a chance to do that.
 


While [Codebook] doesn't have browser extensions, it apparently has a feature called "Secret Agent" – mentioned on page 20 of the manual – that at least partially makes up for the lack of a traditional extension. I'm not entirely clear on how it works without seeing it in action, but at least I won't be writing Codebook off before I have a chance to do that.
Codebook Desktop Secret Agent is a compiled AppleScript that lives in
~/Library/Application Scripts/

When invoked with its hotkey, it pops up a search box to find a Codebook record (e.g., "Apple ID"), then presents that record, from which any associated field (e.g., username or password) is selected. The selected field is entered where the Mac cursor happens to be. This means you can use it outside of browsers, for example in Terminal.
(I realize this may not be any more clear than the manual pages, but here we are. :)


You can run actions, too. Here's more in another manual.
 



Ric Ford

MacInTouch
It appears that Rob may have gotten early access to an updated PayPal interface that included support for authenticator apps. My PayPal account now has access to the screens that Rob described, rather than the older screens that my account had before. I imagine that this has been rolled out to all PayPal accounts by now. I was able to add an authenticator app to my account and remove the (relatively insecure) SMS option. I was unable to find any announcement or documentation about this on PayPal's site. In fact, their help documentation is completely devoid of 2FA information now.
I found help for setting up PayPal 2FA on the Authy website:
Authy said:
How to enable 2FA for PayPal
For a long time, PayPal only offered two-factor authentication security via SMS. And while SMS 2FA is better than no 2FA at all, users wanted better protection. Now you can secure your PayPal account with the Authy 2FA app....
#2FA #PayPal #Authy #setup
 


I'm leaning towards transitioning all our employees to using a Google Titan Security Key for two factor authentication.

Titan Security Key Bundle, FIDO U2F BT & NFC - Google Store

Yes, I understand there are other competitors in the hardware authentication device marketplace, but very few that offer the added convenience of Bluetooth. I also think it's wise to stick with Google, since our company is using the G Suite Business package for everyone here.

I'd love to hear feedback from those of you who have or administer the use of these keys and your experiences, both good and bad. Thanks!
 



I just happened to see that Codebook has been upgraded to Version 4. Anyone who has given it a look might want to give it another, as I certainly plan to do. I have no connection to the developer or the product, but I would be remiss not to share.
 


This is a caution for LastPass users. I got an email from LastPass advising me to update my app to a new version, which will soon disappear from the App Store. However, upon installation, I discovered that the new version requires macOS 10.12 or later. I'm still using OS X 10.11.6, because newer OS versions won't run my Adobe CS3 apps, and I'm not spending more money on an Adobe update or subscription model that I'll only need occasionally since retiring from the industry.

Methinks the updater should have checked my OS version before overwriting the old app. (Retrieving a copy of the old app from a backup was straightforward.)
 


Methinks the updater should have checked my OS version before overwriting the old app.
Are you sure you received an updater? When I went through the update process last night, I got a .dmg file that contained the current app and instructions to drag it to the /Applications folder.

In your case, the app icon should have had an overlay indicating that it wouldn’t launch in your OS, but that won’t stop you from overwriting the old app if you proceed with the drag and drop. There really isn’t any way to prevent that type of update from happening if you force it. Might have been a better idea for LastPass to have used an installer in this case, but it is a fairly common way to distribute updates these days.
 


In your case, the app icon should have had an overlay indicating that it wouldn’t launch in your OS, but that won’t stop you from overwriting the old app if you proceed with the drag and drop.
I did see that icon, Al. I had never seen it before, and had no clue what it meant.
 


Ric Ford

MacInTouch
This is a caution for LastPass users. I got an email from LastPass advising me to update my app to a new version, which will soon disappear from the App Store....
Here's more about LastPass's response to Apple's Safari changes:
The Verge said:
LastPass is discontinuing its native Mac app and replacing it with a more universal web app
Password management app LastPass has announced it will be discontinuing its native macOS app on February 29th, directing users in an email to switch over to the new web-based version of the app that will replace it.

According to the email, LastPass is making the change to “provide the best experience for our customers,” citing changes made by Apple in Safari 12 in 2018, which were designed to push developers toward offering browser extensions through native Mac App Store apps instead of the soon to be deprecated Safari Extension Gallery. While other apps, like 1Password, updated to implement the new system with their native apps, LastPass has decided to just remove support for the old native app entirely.
 


Maybe not as convenient as direct integration with websites and stuff like that, I still prefer the standards compliant safe database formats "Password Safe" and "KeePass", both of which have multiple implementations that can be used on macOS, iOS, Android, and Windows.

I have long used "pwSafe" on both macOS and iOS, which understands the "Password Safe" format, but recently have started to recommend the open-sourced "Strongbox" software, which understands both "Password Safe" and "KeePass" file formats, and I just learned that Strongbox also can generate OTP codes like Google Authenticator. If you enter an OTPAuth URL as the Password field, or anywhere in the Notes field, then Strongbox will automatically pick this up and display the TOTP code. Before discovering that Strongbox could do it, I was using "OTP Manager.app" on macOS and "Google Authenticator" on iOS.

For Windows and Linux, I would probably use "KeePassXC", which also has a macOS version, and for Android I have been recommending "KeePass2Android", both of which do OTP generation and are open source projects. I have little direct experience with either, but reviews and online chatter seem to indicate that these are widely used and actively supported.

For all of these, if you want multi-device syncing, you can provide the service of your choice (iCloud, Dropbox, OneDrive, etc.), and if the developers halt support or change something you don't like, you can migrate to one of the other offerings.

After writing this, I decided to support continual development for "Strongbox" by upgrading from the "free" version to the "Pro" version. I think I still prefer the individual entry default password generation options that "pwSafe" has, but Strongbox is worth supporting.
 


If you enter an OTPAuth URL as the Password field, or anywhere in the Notes field, then Strongbox will automatically pick this up and display the TOTP code.
OTPAuth URLs are defined here:
Google said:
I think that only the "secret" part really matters, as my simple tests seem to generate the same codes no matter what I put in as "issuer" or as the user part:
Code:
otpauth://totp/Example:me@place.com?secret=JBSWY3PXP&issuer=Example
 


I still use and promote 1Password by Agilebits. Someone once told me about this program that I never heard of - now I'm a true convert!

I moved to the PC side for all my creative work, but when I use my Mac, I create a vault file, sync to my iCloud, and had the purchased version (not subscription). I cannot use 1Password on Windows with my iCloud vault file, and Agilebits wants me to subscribe and use their server, something I am not willing to do at this time. (The thing is, and do you agree, having all your passwords held hostage by subscription? I am sure you could download the vault but... I wonder about access, etc.).

Now, my employer provides me a free LastPass (that I only use for work, at work), which has some nice features, but since LastPass was breached twice so far, I am not a fan and don't recommend it for novice users.

I am surprised Apple hasn't bought up Agilebits and made this "foolishly mandatory" password management software their own. Or maybe they did offer, and Agilebits told them to scoot. I don't know though, for $36/yr. – would you pay that for password management? (Oh, and I am sure it will increase annually... for inflation of course. ;)
 


(The thing is, and do you agree, having all your passwords held hostage by subscription? I am sure you could download the vault but... I wonder about access, etc.).
1Password keeps local copies of all your passwords; the Agilebits servers are used for synchronization. If your subscription expires, all your devices will have local copies current as of the last synchronization.
 


(The thing is, and do you agree, having all your passwords held hostage by subscription? I am sure you could download the vault but... I wonder about access, etc.).
See "How to export data from 1Password" as it offers three formats: .1pif, .cvs, and .txt.
…for $36/yr. – would you pay that for password management?
I was skeptical and hesitated when AgileBits released 1Password Version 7 for macOS in mid-2018, so I followed it for 8 months. About a year ago, I took advantage of their special introductory price of $8.99 for 6 months. I am very happy with all aspects, so yes.
 


1Password keeps local copies of all your passwords; the Agilebits servers are used for synchronization. If your subscription expires, all your devices will have local copies current as of the last synchronization.
Ditto for LastPass. If you don't need to sync multiple devices, you don't need a subscription. It's cheap enough, and I love not having to do anything at all to keep my Mac and iPad in sync. They say everything is strongly encrypted on your local device before transmittal to their server, and the data does not include your master password.
 


For Windows and Linux, I would probably use "KeePassXC", which also has a macOS version...
While we're on the subject of KeePass and its variants, has anyone tried MacPass? It does look very Mac-like, and a cursory search of MacInTouch didn't yield any past mentions of it. It is, of course, both open source and free.
 


Am I the only one who uses Safari as a password manager?

I use other browsers for other things, but for all of the sites I log into, I use Safari and have it save the usernames/passwords to most sites. I have a single computer and no tablets and can count on one hand the number of times a year that I'd want to use my phone for anything other than phone calls, texts, and emails, so I have no need for syncing with other devices.

(Safari has some sort of "save to iCloud" which I take to mean it would sync with an iPhone, but I don't need that.)
 


While we're on the subject of KeePass and its variants, has anyone tried MacPass? It does look very Mac-like, and a cursory search of MacInTouch didn't yield any past mentions of it. It is, of course, both open source and free.
I do use MacPass. It has been trouble-free for me, so I don't know much about it. It was recommended to me to join a database saved on Dropbox. I have not looked at other popular password managers, maybe because MacPass has been so good. I am not a power user.
 


Am I the only one who uses Safari as a password manager? I use other browsers for other things, but for all of the sites I log into, I use Safari and have it save the usernames/passwords to most sites.
While easy to use, that approach has at least one major drawback: while the data may be protected by a password (which will prevent casual access to your data), the browser itself generally stores the saved logins in an unencrypted (or minimally encrypted) manner.

What this means is, if your computer were ever to get lost or stolen, your data could potentially be at risk. Note that this caveat also applies to other browsers, such as Firefox, (but not to Firefox's recent Lockwise initiative, as long as you choose to use a password with it).
Sophos said:
Safari does, in theory, protect your data in the macOS Keychain, but vulnerabilities for it aren't exactly unheard of:
Sophos said:
The other issue is that (particularly since you don't use iCloud Keychain) backing up and restoring the keychain is more labor-intensive than with a dedicated password manager, with more potential pitfalls (since the keychain stores much more than just your browser passwords, to keep things working behind the scenes).
 


Now, my employer provides me a free LastPass (that I only use for work, at work), which has some nice features, but since LastPass was breached twice so far, I am not a fan and don't recommend it for novice users.
All password managers have had their incidents. If we used security incidents as a justification to prefer one product over another, there would be no software we could use. :)
 


All password managers have had their incidents. If we used security incidents as a justification to prefer one product over another, there would be no software we could use. :)
As far as I know, 1Password has never been hacked. The reason I prefer it is that we have two each: laptops; iPhones and iPads, and four computers. That's 10 devices that are all kept with passwords in-sync without any effort on my part. I pay for the subscription, obviously, but the convenience factor is well worth it, in my opinion.
 


Am I the only one who uses Safari as a password manager?
Relying on Safari (and the macOS keychain) to keep track of my passwords has occasionally caused me pain when the macOS keychain goes bonkers. I have over the years seen a few cases where items in the keychain get modified by the system or the whole keychain has gone bad.

With that said, using my browser to autofill passwords that it keeps track of is great, and I use it a lot, but I also try to always keep my records in a password file (as mentioned, I like the open source Keepass and Password Safe formats) that only I have access to, not the macOS system or any other provider. Nothing is uniquely stored by the browser or the keychain, so a failure there will not be disastrous.
 




Apparently there's a vulnerability in Google's Authenticator app for 2FA. I haven't been able to figure out if it applies to other authenticator apps (like Microsoft's or 1Password, e.g.) It's inspired me to set up a hardware key (I've got a Yubico and a Google Titan.)

Anyone have a recommendation for a site/article with best practices that's geared towards a (moderately savvy) user, and not security experts? Or, a good place to make sure the keys I have (Yubico 4, Titan USB A/NFC) are still ok to use? All of the reviews I found just looked at the currently available/latest keys.

Thanks!
 


Apparently there's a vulnerability in Google's Authenticator app for 2FA.
It is not a vulnerability in Google's app. It is basically remote access malware that uses the accessibility features of the phone to "read" what's on screen. Any app is potentially a target.
Android Police said:
2FA apps like Google Authenticator reportedly vulnerable to malware snooping
The makers of the trojan are working on the capability to covertly read your Android phone screen to siphon off device-unlocking credentials (PINs and passwords) and other vital information, such as the 2FA tokens that appear in the Google Authenticator app, or its various alternatives.
This would certainly be a problem, but it does require malware on your phone. As I understand it, Cerberus (the trojan in question) relies on social engineering to get installed on a phone.

If someone is fooled by social engineering to install malware, they need to become better informed and change their behaviors, otherwise this malware will be the least of their problems.
 


It is not a vulnerability in Google's app. It is basically remote access malware that uses the accessibility features of the phone to "read" what's on screen. Any app is potentially a target. This would certainly be a problem, but it does require malware on your phone. As I understand it, Cerberus (the trojan in question) relies on social engineering to get installed on a phone. If someone is fooled by social engineering to install malware, they need to become better informed and change their behaviors, otherwise this malware will be the least of their problems.
Thanks for your reply. The articles I read didn't make it clear how the Authenticator app was vulnerable. That being said, today's trojan is tomorrow's adware/virus/whatever other mechanism the bad guys use.

Since pretty much all of my other accounts link back in some way to my Gmail/Google account, I still think it's prudent to make that account as secure as possible; the Yubikey/Titan hardware keys seem to be the best approach. I just want to make sure I'm setting them up correctly (there are a lot of other options Google gives you to access your account - important if the hardware keys fail but confusing if you're trying to figure out what the most secure way to set it up is).
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts