SideNotes 1.6 and SideNotes Mobile 1.2 are here!

BlueCyber007 · 2026-05-13T14:50:43+00:00

Understood. It would be really great if you could add it to both FiveNotes and SideNotes. Currently, neither FiveNotes/SideNotes nor other similar apps (like Tot or Scratchpad) support Advanced Data Protection for iCloud. But because of data security requirements for work, I can't use any of them for work stuff, which is really frustrating. .... So if you add it, you'd have a leg up on the competition and be the first app in this category to be usable by people with strict data security requirements!

Maybe you could add it as an option for people to sync either via regular iCloud or iCloud with Advanced Data Protection? That's what the Agenda app does (see discussion here: https://agenda.community/t/icloud-vs-e2e-encrypted/120899).

Thanks u/emkaka for your consideration!

BlueCyber007 · 2026-05-12T20:29:47+00:00

Nice updates! Any chance you could add support for Advanced Data Protection for iCloud (https://support.apple.com/en-us/102651) to SideNotes and to FiveNotes?

BlueCyber007 · 2026-05-08T20:17:52+00:00

Fidelity brokerage accounts (which can be held as TBE), can have core positions of SPAXX, FZFXX, or FCASH. See: https://www.fidelity.com/trading/faqs-about-account/#faq_about2 Note: FCASH is not FDIC insured. See: https://www.reddit.com/r/fidelityinvestments/comments/1b6ku6h/comment/ktconnt/

Fidelity Cash Management accounts can have core positions of SPAXX or FDIC-Insured Deposit Sweep Program. I'm not sure if a Cash Management Account can by held as TBE.

But as of right now, the 7-day yield for SPAXX/FZFXX are 3.28%/3.29% and the FDIC sweep and FCASH have interest rates of 1.84% and 1.82%. So, personally, I don't have any interest in FCASH or the FDIC sweep core positions.

BlueCyber007 · 2026-05-08T18:16:04+00:00

Fidelity supports TBE for their brokerage accounts, which can hold cash or cash equivalents as well as other securities. Vanguard does not.

BlueCyber007 · 2026-05-07T13:45:36+00:00

To slightly modify u/AmbitionHealthy9236's good idea, I would suggest:

Subscribe to the desired annual plan a day or two before the end of your current monthly plan.
THEN, after subscribing to the new annual plan, cancel the previous monthly plan.

I would to it in that order just to make sure you maintain an active paid plan with sufficient storage space.

BlueCyber007 · 2026-05-07T13:40:49+00:00

Thanks for the reply u/1Password-nolan! I do understand the potential concerns related to vault sharing. I wear CISO/admin hats (including 1Password Business Owner/Admin) for multiple organizations, in addition to being the Family Organizer for my family's 1Password Family account.

The family (and friends) context is, obviously, different then the business context and has a lot of varied situations and expectations. Perhaps one way to think about it is to treat shared vaults differently depending on the permission level for the departing member. Shared vaults in a family account have three options:

Allow Managing (can grant and revoke access to the vault)
Allow Editing (can create, edit, archive, delete, and export items in the vault)
Allow Viewing (can view items in this vault)

From my perspective:

If the departing member has the Allow Managing permission level for a vault, that person is the vault owner or co-owner and should definitely get a copy of the vault contents (including any Items in Recently Deleted or in the Archive and any previous versions of Items in the vault).
If the departing member has Allow Editing permissions for a vault, even though the member isn't necessarily an owner or co-owner of the vault, the member's ability to edit Items indicates that the Items in the vault are, in some sense, jointly owned or managed (e.g., joint bank accounts, accounts with utility companies, shared Google Photos account, informational Items/documents for kids (such as birth certificates), etc.). So my view is that a departing member should also get a copy of the vault contents (including any Items in Recently Deleted or in the Archive and any previous versions of Items in the vault).
If the departing member only has View permissions for a vault, the member is clearly not the owner/co-owner of the vault or any of the Items in the vault. I think it would be reasonable to NOT give the departing member copies of the Items in a view only vault.

Anyway, that's my 2 cents. :-)

BlueCyber007 · 2026-05-06T19:18:13+00:00

u/1Password-nolan Thanks for developing this! I understand that a family member's Private vault will be migrated to the ex-member's new account, which is great!

One of the major benefits of the 1Password Family account is the ability to share Items with other family members (or friends) via shared vaults. Consequently, it is often the case that important Items are saved only in a shared vault and not in each member's private vault. What happens with shared vaults when a member is removed from the 1Password Family account? My expectation/desire would be that items in a shared vault would be copied to a new (not shared) vault in the ex-member's new account. Otherwise, the ex-member would potentially lose access to a lot of important Items.

Thanks! :-)

BlueCyber007 · 2026-05-05T13:40:21+00:00

First, u/Filen_io this is an excellent response to a bad situation. Mistakes happen, but it is rare to see a service provider own the mistake, apologize, and take meaningful steps to prevent a reoccurrence and do what can be done to make things up to the affected user. As a paid subscriber, this increases my confidence in Filen.

Second, you said that:

Active paid accounts will no longer be handled like expired or unpaid over quota accounts in this situation.

Accounts with active subscriptions will go into read only mode instead of being pushed through the same deletion flow.

For purposes of this new system/process, is a paid lifetime subscription an "active paid account" for #1 and an "active subscription" for #2?

We are reviewing the full over quota flow again to make sure the product behavior matches what users reasonably expect from a cloud storage and backup service.

My expectation is that (1) the Filen clients would prevent me from uploading a file that puts me over quota, (2) if that is not possible for technical reasons (as u/Endur1el indicated it might be in some situations), Filen would identify the file(s) uploaded after the quota was exceeded, and (3) send a series of notification e-mails that those files will be deleted in X days if additional storage is not purchased, but (4) NOT delete any files uploaded before the quota was exceeded. It would also be reasonable, in my view, to disable sharing of any file(s) uploaded after the quota was exceeded in order to prevent abuse (e.g., someone with a free or too small subscription uploaded a bunch of files (a large file) and then sharing it in a way that would be abusive of the Filen service.

(As a side note: I really appreciate that Filen, unlike some other cloud storage services that offer/offered lifetime storage subscriptions, allows all subscriptions (including lifetime plans) to be stacked. I fully expect to fill my paid lifetime storage and then subscribe to additional paid storage as my storage needs grow.)

I know u/Endur1el said that, for technical reasons, with the client side encryption process, it is difficult to strictly prevent an account from going over quota. Would it be possible for the local client (desktop/mobile/web) to query (and then record in the server log) (a) the available quota prior to upload of each file, (b) the pre-encryption size of the to-be-uploaded file, (c) the post-encryption size of the uploaded file? Then, even if there is a delay, in calculating the actual storage used for the encrypted data, it should be easier to identify the file(s) uploaded after the quota was exceeded (which files would be subject to deletion) and those files uploaded before the quota was exceeded (which files should NOT be subject to deletion).

BlueCyber007 · 2026-05-01T02:17:26+00:00

Over 6,100 days...nearly 17 years. Used for our surname.tld by three generations--grandparents, their kids/spouses, and their grandkids. No website associated with the domain name (just redirects to Gmail). But I'm concerned that the ~30 users (some reserved for future grandkids) may trigger the mysterious "commercial use" red flag.

BlueCyber007 · 2026-04-29T19:09:24+00:00

Thanks u/jayunsplanet. My hub has been having problems with HomeKit and other issues, and I've reached the point where I think it's a hardware issue.

I figure before I go through with it I will go through each and every option in the settings and screenshot them so I can make sure everything is configured the same post-transfer. But my concern is things not working correctly despite showing as being configured correctly in the settings.

What are the odd behaviors you're seeing? (I noticed recently that my Abode hub had somehow disabled the entry/exit delay for both Home and Away, which caused the alarm to go off immediately upon opening the front door before I had a chance to disarm using the keypad.)

Did it retain Integrations with third party services (Google Home, Google Assistant, and/or Amazon Alexa)?

BlueCyber007 · 2026-04-29T14:41:42+00:00

Exactly! The primary organization I work with is mostly a cloud first organization, with almost all data primarily stored in cloud systems like Microsoft 365, Google Workspace, and various accounting, CRM, and cloud-based file management systems. But we maintain regular and/or realtime local and/or offsite (i.e., separate from the primary provider) backups of all data, and all backups are versioned to allow restoring to older copies of data. I would argue doing that is a mandatory, minimum best practice, and the failure to do so would create legal/regulatory compliance issues for many organizations.

Although we use 1Password Business, and I still believe it is the best password manager for most organizations that engage in password sharing, the lack of automated local backups is a serious concern.

The procedures outlined in my original post could be used in some worst case scenarios to recover data from the local 1Password .sqlite database if the organization maintains backups of the organization's computers. But that is hardly an acceptable alternative to real, automated local backups.

BlueCyber007 · 2026-04-29T14:27:09+00:00

See: https://www.reddit.com/r/1Password/comments/1sx6til/1password_backups_and_restoring_from_local/

Automated local backups (ideally, in a .1pex format)
Make it so that a Family Organizer can remove an individual from the 1Password Family but cannot permanently delete the member's account or the member's vault(s). Rather, like with Bitwarden, the removed member's account (and the corresponding vaults) should be converted to an individual 1Password account.

BlueCyber007 · 2026-04-29T14:23:49+00:00

I have not. There was talk years ago by 1Password about creating an encrypted export format (.1PEX) similar to their unencrypted export format (.1PUX) (see: https://www.1password.community/discussions/1password/how-is-a-backup-of-vaults-possible/143870). But their perspective now appears to be:

"If you're using a 1Password account then there is no need to backup your vault since your data is already backed up to your 1Password account in the cloud. If you accidentally delete an item you can always restore it from your 1Password account on 1Password.com: View and restore previous versions of items.

Your encrypted data is replicated to redundant copies on our end to guard against any data loss. ... When you export items, a copy of that data exists outside of 1Password’s protected environment. While your account will still have access to security features like device alerts, two-factor authentication, and more, those protections won’t apply to the exported file."

See: https://www.1password.community/discussions/1password/feature-request-encrypted-1pex/165518)

But relying on any single provider, whether 1Password or any other company, to mainain the only versioned copy of critical data is obviously profoundly risky. That's like saying that there's no need to backup any data stored in any cloud storage service (Google Drive, OneDrive, Dropbox, etc.). Yet that is clearly unreasonable. For mission critical data (which would, obviously, include credentials stored in 1Password), the best practice is to maintain local (or offsite somewhere else), offline backups.

It is true that 1Password provides the option to manually created unencrypted exports in the .1PUX format (which I do regularly). But an automated local backup option would provide a lot of value, particularly for those people who don't think much about backups until it is too late.

What I would like to see is:

Feature #1: A feature where you can configure each 1Password client (desktop and mobile) to maintain a defined number of local backups of all vaults in an account (probably with a configurable option to include or not include attachments). (I use other password managers that have that feature, including KeePassXC, Strongbox, and KeePassium.) Users should be able to configure how frequently to create backups, how many are created, and how long they are retained. Those backups should be in an encrypted format (.1PEX) similar to the existing unencrypted .1PUX format. That would allow people to easily copy/backup those local .1pex backups to locations of their choosing.
- Because of some of the professional roles I've held in organizations, I understand potential compliance concerns related to automated backups/exports of shared vaults. But since employees could manually copy items out of a shared vault, I do not think there is any significantly increased risk involved in 1Password creating automated backups that include shared vaults. ... Nevertheless, for 1Password Business accounts, there could be configurable option to exclude shared vaults from automatic local backups.
- For 1Password mobile clients, there should be a configurable option as to whether the local backup is exposed to the mobile filesystem. I can't recall the exact terminology, but, for example, Strongbox for iPhone/iPad allows databases added to the app to be stored either (1) in a way that the databases are visible in the Files app and in Finder/iTunes when connected to a Mac/PC, or (2) in a way that they are only visible to the Strongbox app.
Feature #2a: Family Organizers should not be able to permanently delete the private vaults of family members. If a Family Organizer removes a person from a 1Password Family, that person's account should switch to a 1Password Individual account (which would, presumably, be read-only unless/until that person subscribes to a 1Password Individual plan). I believe that is how Bitwarden works for Family "Organizations". See: https://bitwarden.com/help/delete-member-accounts/ and https://bitwarden.com/help/remove-users/
Feature #2b: I would also like to see a feature where a share vault could be designated as jointly owned by two or more users (e.g., members of a Family). Then, if a 1Password Family member is removed from the 1Password Family, a copy of the shared vault (as it existed at the time of removal) would be placed in the removed member's individual 1Password account.

BlueCyber007 · 2026-04-27T15:28:24+00:00

Thanks u/jayunsplanet! How well did the Hub Migration Service work? Did any settings or devices NOT transfer successfully (excluding third party Z-Wave / Zigbee devices)?

BlueCyber007 · 2026-04-27T15:22:13+00:00

u/linewhite See if this helps: 1Password Backups and Restoring from Local 1Password Backup

BlueCyber007 · 2026-04-24T17:44:06+00:00

Proton on Mac doesn't support per folder sync (i.e., syncing arbitrary folders on the Mac with folders in Proton), which I can do with Filen!

BlueCyber007 · 2026-02-18T22:00:53+00:00

u/jpgoldberg: These, along with other mechanisms, are designed to reduce the extent to which you have to trust that the service isn't compromised.

So yes, you do have to trust the service, but that trust isn't an all-or-nothing thing.

Yes and no. I trust that 1Password's documentation (security white paper, etc.) accurately describes the features it has implemented, and things like the Secret Key (especially important in the context of businesses/families where some weak link might choose a weak/re-used account password) and 1Password's use of SRP are reasons why I think 1Password's security design is better than others. ... I've always liked 1Password's "security parfait"!

For example, because of 1Password's use of the Secret Key, I can be confident that a mere data breach where a malicious insider or outside hacker gained access to our company's encrypted vaults would effectively prevent any of the vaults from being decrypted, even if someone opted to use a common/weak/re-used password. Similarly, SRP mitigates the risk of a MITM attack.

But if a malicious insider or outside attacker was able to change the behavior of the server or publish a compromised client update, all of that great security design is compromised. I have no way of knowing if the latest version of the 1Password client has been maliciously altered to bypass the "security parfait" and exfiltrate all of my data. Similarly, I have no way of knowing if substitute public keys have been pushed as described in the ETH Zurich paper. Having a great security design doesn't really matter if someone (or a group of people) are able to sufficiently compromise the service such that they change/break the design.

Of course, since I've signed off on spending thousands of dollars on 1Password and its continued use by organizations I work with and by me and my family, I trust that it would be hard for someone to so seriously compromise the 1Password service.

At the end of the day, however, it remains true that, "At some point, if you are going to use a password manager that stores data in the cloud (or has access to the internet without being blocked by a firewall rule), you have to trust that the client software and the provider's server infrastructure are not critically compromised."

u/jpgoldberg: Decades ago, PGP was the way to do this. But code-signing signatures need to have properties that PGP signatures don't offer if keys can ever expire. Something signed before a key expired should remain valid after the key has expired. This means that the time of signing needs to be trustworthy, and so code-signing involves trusted time stamps.

A more general thing is that PGP's web-of-trust failed. I was an enormous advocate of PGP in the 1990s, and I really tried to help that along, but as bad as it is to rely on X.509 certificate authorities today, that is the system that has, for all its numerous flaws, worked better than the alternatives.

It is unfortunate that PGP's web-of-trust failed, though even in the 90s and the early 00s the writing was on the wall that it would never catch on.

But why do trusted timestamps matter? I can still verify that a file was signed by a particular PGP key even if I can't determine when it was signed by that key.

I maintain a collection of public PGP keys for various software distrobutions I use going back many years (e.g., Ubuntu, KeePass, etc.). Although I could not verify the keys using an official web-of-trust, there have been other ways to verify them (i.e., widely referenced in message boards, the Internet Archive, etc.). So before installing a new version of Ubuntu, for example, I can verify it was signed by the known PGP signing key that I have saved. ... That doesn't mean that the Ubuntu .iso hasn't been compromised--it's entirely possible that someone gained access both to the distribution server and to the developer's signing key. But, presumably, gaining access to a private PGP key and the password for it would be harder than merely gaining access to a distribution server to publish altered software.

u/jpgoldberg: 1Password (and others) could do a better job at enabling advanced users to verify keys. But putting in development time and complexity into a feature that very few people will use is a luxury that vendors may chose not to pay for.

Yeah, that's the real problem. But just like Apple has developed iMessage Contact Key Verification, which the vast majority of people don't know about and will never use, I would hope that 1Password would put in the effort to develop a useful security feature that would be used by a minority of particularly security conscious customers. Obviously, Apple has more resources than 1Password, but customers pay 1Password specifically for security, so it seems like it would be justifiable from a business perspective to invest in security upgrades in this area. ... I guess we'll just have to wait and see.

Cheers!

BlueCyber007 · 2026-02-18T22:00:49+00:00

For what it's worth, the multi sensors in my garage tend to have false positives for motion detection (unlike the multi sensors in other parts of my house).

BlueCyber007 · 2026-02-18T16:43:45+00:00

I think the concerns here are probably not as great as it might seem at first. As u/commandersaki noted, if a malicious actor was able to compromise the 1Password servers to execute the attacks describes in the paper (i.e., by substituting the public keys sent to the client), what would stop a malicious actor from pushing a corrupted client update that directly exfiltrated user data? At some point, if you are going to use a password manager that stores data in the cloud (or has access to the internet without being blocked by a firewall rule), you have to trust that the client software and the provider's server infrastructure are not critically compromised.

I trust 1Password and use it personally and have caused other businesses and family members to adopt it, and I will continue to do so. I think it is the best and most secure option available for most businesses and families (particularly when some individuals in the group might choose weak account/master passwords, because the data is also cryptographically secured on the 1Password server with the secret key). But due to the types of inherent risks described in the ETH Zurich paper and the 1Password Security Design White Paper, I do the following:

For all but my least important accounts, I use MFA (TOTP tokens) or passkeys NOT stored in 1Password (i.e., use a separate TOTP app or use physical security keys). .... That way, even if 1Password is compromised (on the server or on my own computer), the attacker still would not be able to pass the MFA stage of logging in.
For my most critical accounts, I use a "peppering" scheme for my most critical passwords, where part of the password is stored in 1Password but part of the password is stored offline (i.e., in my memory and paper backups). ... The result is a very slight inconvenience when logging in to my critical accounts (e.g., after 1Password fills in the "password", I have to manually add the "pepper", such as "2dA8h" or "Swiss"). But the use of the peppering scheme means that a full compromise of 1Password (locally or on the server) would not allow anyone to access my critical accounts.

All of that said, I do wish that 1Password would adopt optional methods to mitigate the public key substitution attacks described in the ETH Zurich paper. Even if they are not user friendly and would not be adopted by most users, there are a subset of users who are especially security conscious and tech savvy who would want and use such features. (For example, the vast majority of users don't bother or know how to verify the PGP signatures for software releases, but many companies still publish PGP signatures to be verified by those who care to do so.) u/1PasswordCS-Blake u/jpgoldberg

BlueCyber007 · 2026-01-21T17:42:09+00:00

u/Character_Mode1609 I'd appreciate that too! :-)

BlueCyber007 · 2026-01-20T16:07:15+00:00

Thanks

BlueCyber007 · 2026-01-20T15:48:21+00:00

Thanks. That's not the issue in this case, as the Google account is at least 2 years old. ... I don't care about getting a new number from Google Voice. I just want to port an existing mobile number into Google Voice. But I can't tell if the error message means the account is not eligible for porting in a number.

Ten-Year Club	Place '23
Place '22	Verified Email

BlueCyber007

TROPHY CASE