[jupp0r]

I'm not a user of OneLogin, but if they store encrypted passwords and encryption keys, their security model is fundamentally broken imho and I'd never give them my passwords.

Better services (1password for example) are specifically designed to never know your master password/key to avoid this very situation.

[xenophonf]

You misunderstand: OneLogin is a web SSO implementation, not a password manager. By necessity they have access to customers' authentication services because OneLogin functions as a SAML/OIDC identity provider. It's no different than if you ran AD FS or Shibboleth yourself.

[sbarre]

I'm also a 1Password customer and just went back to their site to confirm this. I was pretty sure they didn't store my master password or my secret key, because that would be insane..

I wonder if in this case OneLogin was the victim of a MITM attach while the attacker had access to their infrastructure?

So they didn't decrypt data at rest that they obtained but rather they captured activity in transit?

Either way it sounds like OneLogin had some implementation issues.

[izacus]

Does any of those better designed services support Linux?

[joekrill]

I use enpass, which supports Linux. It's not open source, but it's built on an open source sqlite extension called SqlCipher. That doesn't guarantee the applications that use it are solid, but I like the tradeoff it provides.

[ascorbic]

All of them.

[shimms]

Except 1Password - unless you want to use it through the browser only which is no where near as convenient.

[izacus]

1Password and DashLane don't :/

[pwman]

LastPass