Hacker News new | ask | show | jobs
by dorfsmay 3773 days ago
You are uploading a file that is encrypted using very strong encryption, not plain text password.

An employee of that company, or if the file was leaked due to technical errors, a member of the general public won't be able to decrypt it. If one of the richest governments wanted to, they might be able to, but if you had reasons to be a target you'd know better than using this.

Also, take a look at SpiderOak.
1 comments
oneeyedpigeon 3773 days ago
Is strong-encryption something that 1password is fundamentally opposed to, or something they just haven't implemented yet? If I'm going to switch, the answer to question is pretty important.
link
forty 3773 days ago
I work for a competitor of 1password, and as far as I know 1password is one of the "serious" password managers and I really doubt they would store data unencrypted. Last time I checked, they did not offer cloud sync directly, but integrated with dropbox to store your encrypted vault. Not really sure what the previous comment wanted to imply.
link
DenisM 3773 days ago
>strong-encryption something that 1password is fundamentally opposed to?

where did you this idea?

link
oneeyedpigeon 3773 days ago
The comment I replied to which suggested that strong-encryption was a differential between keepass and 1password.
link
DenisM 3772 days ago
As far as I can see, the comment you replied to contains no mention of these things. Can you quote the relevant part?
link
oneeyedpigeon 3772 days ago
cmrx64: it all depends on how much you trust 1password and what your threat model is. For me, the advantage of keepass is that I don't need to upload my credentials anywhere

oneeyedpigeon: But if you want to sync your credentials across devices, you still have to upload them somewhere, right?

dorfsmay: You are uploading a file that is encrypted using very strong encryption, not plain text password

I took that to mean:

(with keepass) you are uploading a file that is encrypted ... not plain text password (as for 1password)

dorfsmay has now confirmed that was their meaning in this comment: https://news.ycombinator.com/item?id=11177045

link
DenisM 3772 days ago
Thanks. This was very cryptic, I'm surprised you pieced it together.
link
dorfsmay 3772 days ago
No, but my understanding is that with 1passsword and similar service the web client sends the password in unencrypted form to the server. A rogue employee, is even the combination of a bug and a leak would expose your password.

With keepassx, your password never leaves your device in unencrypted form.

link
apawloski 3772 days ago
This is very much untrue. 1Password syncs an encrypted vault through separate channel (e.g. Dropbox, iCloud) -- it has zero-knowledge of your passwords. It just picks up a big encrypted blob from wherever you store it.

"The easiest way for us to protect your data and data about you is to not have that data in the first place. You may be noticing a theme by now: we can’t reveal or abuse data that we don’t have.

We do not have your 1Password data. We do not know your 1Password Master Password. We don’t even know if you use 1Password. We do not know how many items you have in your vault or their type."

https://support.1password.com/private-by-design/#what-we-cou...

link
dorfsmay 3772 days ago
Thanks for the clarification.
link