dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
14

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB to Shady Bimmer

Premium Member

to Shady Bimmer

Re: [OS X] Keychain disappointment

said by Shady Bimmer:

said by TamaraB:

Both 1Password and Apple's system send that data to off-site systems, where they are out of your control, and can be compromised.

Do you have evidence that 1Password does this?our system.

Well, one of the main reasons to use these applications is to synch passwords between computers. The only way that is accomplished is by allowing 1Password to use Dropbox, and Keychain to use iCloud.

Every browser I know of has the ability to remember passwords, that's no big deal. It's keeping them in synch between systems that's the security risk. I am not comfortable allowing my banking and other sensitive financial and medical access passwords leaving my immediate control. Other passwords, like BBR, and other systems I frequent are another matter. There is little damage which can be done if those passwords leak.

I run a Mac Mini server on my home network which provides VPN for all my WiFi access, whether in-house or out. If there was a way to synch passwords via the server, never having them leave my home network, I would feel better about these programs.

I know not how secure Agilebits or Dropbox is; given recent revelations on the subject, i suspect not very. In short, there doesn't seem to be any secure way to synch ALL your passwords between computers without exposing them to unknown/outside security threats, is there?.

But that's just me, I am just a little bit paranoid and very concerned about privacy, who else uses WiFi over VPN at home for their iPads, MacBooks, and iPhones and restricts everything else to ethernet?

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

1 recommendation

Thinkdiff

MVM,

WiFi Sync in 1Password does not touch any external server. Depending on the VPN, you may even be able to use that over cellular w/ VPN. Otherwise, you'd have to wait until you get home to perform the sync.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to TamaraB

Premium Member

to TamaraB
said by TamaraB:

Well, one of the main reasons to use these applications is to synch passwords between computers. The only way that is accomplished is by allowing 1Password to use Dropbox, and Keychain to use iCloud.

The choice to send your data offsite is yours. You don't have to use 1Password with a cloud service and many do not.

If you want to keep multiple devices in sync, your options are limited but this is still possible. Even with 1Password you do not need to use a public service to do so and you can keep your private data truly private.

You can also use multiple vaults with 1Password so you can keep your different "secrets" separate. You can synchronize one vault using Dropbox, another using WiFi or USB, and another not synchronized at all.

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB to Thinkdiff

Premium Member

to Thinkdiff
said by Thinkdiff:

WiFi Sync in 1Password does not touch any external server. Depending on the VPN, you may even be able to use that over cellular w/ VPN. Otherwise, you'd have to wait until you get home to perform the sync.

I didn't know that 1Password could synch over WiFi. I will have to revisit their docs. I am at home now, on my MacBook, WiFi connected VIA VPN, so my Online WiFi data is encrypted. It's pretty much the same setup I use when away from home. My private and public IP address and DNS service is always coming from my server, and CV connection.

What would 1Password synch to? A server share? Or would I have to have my other Macs on to synch with them? Wouldn't there have to be a third party, some man in the middle, involved for this to work?
TamaraB

TamaraB to Shady Bimmer

Premium Member

to Shady Bimmer
said by Shady Bimmer:

If you want to keep multiple devices in sync, your options are limited but this is still possible. Even with 1Password you do not need to use a public service to do so and you can keep your private data truly private.

That would be nice, how, without using an external service?
TamaraB

TamaraB to Thinkdiff

Premium Member

to Thinkdiff
said by Thinkdiff:

Depending on the VPN ....

I use L2TP with a shared secret. It puts me on my home network as if I were connected at home. Everything, including Time Machine works as if I were local.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to TamaraB

Premium Member

to TamaraB
said by TamaraB:

But that's just me, I am just a little bit paranoid and very concerned about privacy, who else uses WiFi over VPN at home for their iPads, MacBooks, and iPhones and restricts everything else to ethernet?

There's nothing wrong with being a little paranoid.

WiFi at home should be using WPA2 by now which already ensures the connection is encrypted and is secure. With modern hardware there is really no downside to layering a VPN on top, however.

I assume that you also have a strong passcode on your iPad, iPhone, and other mobile devices too? You MacBook should be using FileVault2 or other full disk encryption (iPads and iPhones already encrypt their storage by default). In fact every one of my devices (desktops, servers, laptops, mobile) all have their storage encrypted.

While I may or may not trust DropBox, I do not consider it secure. However 1Password keychains and encrypted containers such as encfs/boxcryptor, truecrypt, etc provide known security on top.
Shady Bimmer

Shady Bimmer to TamaraB

Premium Member

to TamaraB
said by TamaraB:

said by Shady Bimmer:

If you want to keep multiple devices in sync, your options are limited but this is still possible. Even with 1Password you do not need to use a public service to do so and you can keep your private data truly private.

That would be nice, how, without using an external service?

With 1Password you would use WiFi sync. That is specifically why AgileBits provides this (it is a commonly used feature). If you do not use a VPN you would only be able to sync on your home network (or other trusted network that has connectivity by the devices you want to sync).

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff to TamaraB

MVM,

to TamaraB
said by TamaraB:

said by Thinkdiff:

Depending on the VPN ....

I use L2TP with a shared secret. It puts me on my home network as if I were connected at home. Everything, including Time Machine works as if I were local.

As long as the L2TP tunnel is passing mdns (broadcast) packets, I don't see why it wouldn't work over your VPN.

BTW, VPN over WiFi (w/ WPA2) isn't really necessary when you're already on your own local network. It may even cause problems if the VPN's private space is the same as your local network's space.

Do you run your ethernet connected computers through the VPN, too?

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB to Shady Bimmer

Premium Member

to Shady Bimmer
said by Shady Bimmer:

WiFi at home should be using WPA2

Yes, I use WPA2 Personal on WiFi. With Mac address /restrictions/filtering.
said by Shady Bimmer:

I assume that you also have a strong passcode on your iPad, iPhone, and other mobile devices too?

Yes, long pass phrases. The only way I could do that was to use OSX Server's Profile manager. But yes long secure pass phrases on both iPad and iPhone.
said by Shady Bimmer:

You MacBook should be using FileVault2 or other full disk encryption (iPads and iPhones already encrypt their storage by default). In fact every one of my devices (desktops, servers, laptops, mobile) all have their storage encrypted.

No. After reading up on encrypted Mac filesystems, I was a bit apprehensive about going that route. I understand recovery becomes an issue with encrypted filesystems, as does disk access times. All my Macs are tricked-out with SSDs for speed, and I didn't want to take a speed hit.

Thinkdiff
MVM,
join:2001-08-07
Bronx, NY

Thinkdiff

MVM,

This thread is really off the rails at this point, but..

MAC address filtering is useless. It causes more headaches for you than anybody trying to get into your wireless network. WPA2 is enough. I'm not even saying there's a trade-off with disabling it. It really, really is useless.

Long passwords can be set on iOS by going to the passcode lock settings. When the keyboard pops up to enter a passcode, press the button on the bottom left to switch between number/alpha. Then just type in any passphrase you want.

FileVault 2 is incredibly fast. If you have a recent Mac (i5 or better from the Westmere line or later, e.g. after 2010), it supports hardware AES encryption. If you have an older Mac, the speed penalty is small. In day-to-day operation, I've noticed zero difference with FileVault 2 turned on. And recovery shouldn't be a concern for you as you use Time Machine.

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB to Thinkdiff

Premium Member

to Thinkdiff
said by Thinkdiff:

As long as the L2TP tunnel is passing mdns (broadcast) packets, I don't see why it wouldn't work over your VPN.

I don't know what that means . Will have to look it up
said by Thinkdiff:

BTW, VPN over WiFi (w/ WPA2) isn't really necessary when you're already on your own local network. It may even cause problems if the VPN's private space is the same as your local network's space.

Yes, I get an address in the same address space over VPN (Local and remote) 10.0.1.XX. I have not observed any issues, it just works. Possibly because it's a Mac OSX server providing the VPN, DNS, and routing?
said by Thinkdiff:

Do you run your ethernet connected computers through the VPN, too?

No. I ASSUME that data is restricted to the copper wire. At least I think so. However, when I am at my GF's, and ethernet connected, I do run through my VPN. She has all sorts of stuff connected including WinDoze machines, I treat that network like any other hostile network.
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer to TamaraB

Premium Member

to TamaraB
said by TamaraB:

Yes, I use WPA2 Personal on WiFi. With Mac address /restrictions/filtering.

I use MAC address filtering too, but realize that it really does not offer anything in the way of security (it is trivial to spoof a hardware address, and it is trivial to identify an authorized hardware address)
said by TamaraB:

No. After reading up on encrypted Mac filesystems, I was a bit apprehensive about going that route. I understand recovery becomes an issue with encrypted filesystems, as does disk access times. All my Macs are tricked-out with SSDs for speed, and I didn't want to take a speed hit.

I'm not sure where recovery becomes an issue, though it depends entirely upon your backup solution. You noted you use Time Machine (as do I), which backs up the unencrypted data. You have the option to additionally encrypt your backups, but the data that is backed up is itself the unencrypted contents.

With respect to performance, you may want to do some testing. Not necessarily running benchmarks, but actually trying it out to see if it makes a noticeable difference. Modern intel processors include acceleration for the types of encryption used most commonly which helps tremendously. I personally don't notice any difference on my mid-2010 MBP.

Getting back to the original topic, Apple's direction with integration of keychains with iCloud is a good thing, even if only to encourage more users to embrace password managers. This is beyond basic browser password caching and is more secure.

Users of 1Password will likely not find any benefit with the Apple solution, especially with the recently released update. However for those that do not use any password manager this is a big step forward.

TamaraB
Question The Current Paradigm
Premium Member
join:2000-11-08
Da Bronx
·Verizon FiOS
Ubiquiti NSM5
Synology RT2600ac
Apple AirPort Extreme (2013)

TamaraB to Thinkdiff

Premium Member

to Thinkdiff
said by Thinkdiff:

FileVault 2 is incredibly fast. If you have a recent Mac (i5 or better from the Westmere line or later, e.g. after 2010)

All my Macs are Late 2012 i7s with the faster CPU. FileVault can be turned on at any time right?
Shady Bimmer
Premium Member
join:2001-12-03

Shady Bimmer

Premium Member

Yes it can be enabled or disabled at any time.

As a best practice always ensure you have a good backup (or two). It will take some time to encrypt the drive, but with an SSD this will be much faster than spinning rust.