[chrisfosterelli]

You don't give your passwords to LastPass either, you give them encrypted random noise they can't do anything with.

[macintux]

Which does not change the parent post's point, that with LastPass you're still giving it to a 3rd party who could leak that information for brute forcing.

[nommm-nommm]

If someone could brute force my LastPass password I'd be impressed.

[dimino]

And who, exactly, encrypts them for you?

Dropbox was also encrypting your passwords, FWIW.

[nommm-nommm]

IIRC encryption and decryption is done on the client side and the server only stores encrypted data.

Dropbox was not encrypting passwords they were hashing them.

If you stored already encrypted files on Dropbox nobody can decrypt those files provided your encryption key is good.

[dimino]

> Dropbox was not encrypting passwords they were hashing them.

Incorrect.

[djcapelis]

That's a really unhelpful comment. Please specify what encryption you think Dropbox is doing on the passwords and what knowledge you have on the topic.

I'm pretty sure you're going to say "they do TLS" and then the person you're talking to can go ahead and explain that the encryption LastPass/1Password does protects an entirely different threat model, but unless you have a conversation here no one is going to be able to communicate a thing.

[dimino]

To be clear, I don't owe you or anyone anything with regards to this conversation. I am not obligated to conform to any particular conversational strategy, and if my intention was to simply claim something was incorrect without elaborating, I am entitled to do so.

That said, I was wrong. I recalled what bcrypt does incorrectly.

[djcapelis]

Good luck with that.

[nommm-nommm]

How exactly is that incorrect? The article is stating that the passwords are bcrypt and SHA1 hashes.