[JonathonW]

Encrypted or not, if 1Password is sending passwords to the browser extension, that means its keychain is unlocked and malware, should it really want to grab data out of the keychain, could just request it from the 1Password helper itself. No need to passively sniff for passwords.

I don't really see what the vulnerability is here.

[jlgaddis]

In a corporate environment, a system administrator with administrative access to employee/user machines could gain access to their credentials.

That's the big issue, I think, unless I'm missing something.

[pfg]

Someone with administrative access would have an almost unlimited number of ways of accessing passwords in any password manager. Key logging, memory dumps ... once your system is owned, you're SOL.

[jlgaddis]

I agree, but this makes it a helluva lot easier.

[pfg]

I don't agree that installing a key logger (of which there are hundreds out there) and stealing the encrypted password files is in any way harder than logging lo0 and waiting for passwords to slowly trickle in while they're being used.

[tptacek]

They can do that anyways by sniffing the keyboard directly.

[jlgaddis]

Sure, but this is a helluva lot easier.

[tptacek]

Why on earth do I care? They're both easy.