Hacker News new | ask | show | jobs
by macintux 3581 days ago
> It absolutely blows my mind that people are okay with giving their passwords (encrypted or not, see this very breach for why that's not always enough) to a 3rd party

That sounds more like LastPass than 1Password, although I haven't looked at the new subscription offering.

I don't give my passwords to 1Password.
1 comments
chrisfosterelli 3581 days ago
You don't give your passwords to LastPass either, you give them encrypted random noise they can't do anything with.
link
macintux 3581 days ago
Which does not change the parent post's point, that with LastPass you're still giving it to a 3rd party who could leak that information for brute forcing.
link
nommm-nommm 3579 days ago
If someone could brute force my LastPass password I'd be impressed.
link
dimino 3581 days ago
And who, exactly, encrypts them for you?

Dropbox was also encrypting your passwords, FWIW.

link
nommm-nommm 3581 days ago
IIRC encryption and decryption is done on the client side and the server only stores encrypted data.

Dropbox was not encrypting passwords they were hashing them.

If you stored already encrypted files on Dropbox nobody can decrypt those files provided your encryption key is good.

link
dimino 3581 days ago
> Dropbox was not encrypting passwords they were hashing them.

Incorrect.

link
djcapelis 3581 days ago
That's a really unhelpful comment. Please specify what encryption you think Dropbox is doing on the passwords and what knowledge you have on the topic.

I'm pretty sure you're going to say "they do TLS" and then the person you're talking to can go ahead and explain that the encryption LastPass/1Password does protects an entirely different threat model, but unless you have a conversation here no one is going to be able to communicate a thing.

link
dimino 3580 days ago
To be clear, I don't owe you or anyone anything with regards to this conversation. I am not obligated to conform to any particular conversational strategy, and if my intention was to simply claim something was incorrect without elaborating, I am entitled to do so.

That said, I was wrong. I recalled what bcrypt does incorrectly.

link
nommm-nommm 3580 days ago
How exactly is that incorrect? The article is stating that the passwords are bcrypt and SHA1 hashes.
link