Hacker News new | ask | show | jobs
by infinitelurker 3812 days ago
Thanks for the link to the 1password compromise, although, I stand by my point, that compromise is due to extraneous features as opposed to the core functionality. Being conservative myself, that's not a feature I use.

I see 1password's main vulnerability being that someone could gaining access to a device and vault passcode or obtaining that passcode through a keylogger.

I'm not sure how difficult it would be to brute force into 1Password locally but either way it's a low benefit game compared to the potential access with a compromise to a cloud based scenario like LastPass.

But I'm always open to security advice...
1 comments
chrisfosterelli 3812 days ago
> I'm not sure how difficult it would be to brute force into 1Password locally but either way it's a low benefit game compared to the potential access with a compromise to a cloud based scenario like LastPass.

I'm not sure if you're familiar with how Lastpass works in general, but all of the data you store with Lastpass is encrypted in almost an identical manner to your 1password vault. They can't read your passwords.

A "compromise" of Lastpass would require brute forcing each user's vault in order to gain any actual passwords, which would require an extraordinarily long time.

I know it sounds concerning saying "put all your passwords in the cloud" but the reality is that it's no different than using 1Password with sync enabled.

link
infinitelurker 3812 days ago
>the reality is that it's no different than using 1Password with sync enabled.

Except that a users LastPass vault lives in the "cloud" so that a compromise of that password can likely open the door and makes it a more enticing target to begin with. Compared the likely hood of merely getting at the 1password vault (assuming it's not synced to the cloud) being a significant barrier.

Again, for me this discussion is educational, I'm curious how having this data in the cloud could ever be considered more secure than local storage.

link
chrisfosterelli 3812 days ago
> I'm curious how having this data in the cloud could ever be considered more secure than local storage

It's not, I didn't mean to give that impression. It increases your attack surface, which is a tradeoff that 99.99% of users are happy to make for the convenience of having instant and strongly secured access to all of their passwords from anywhere.

I meant to point out that this is no different than how the vast majority of 1Password users configure their database: with Dropbox syncing.

For me, this is a required feature to using a password manager. If you do not need this feature, local storage only is better. However, I'll argue that if you have that level of concern then you should also not be using any closed source password manager in the first place.

link
grey-area 3811 days ago
Are you sure about the vast majority, do you have a source for that?

I use 1pass too and would never consider storing passwords in the cloud, let alone on Dropbox.

link