|
|
|
|
|
|
by eridius
2740 days ago
|
|
|
I'm confused as to what the security issue is here. > Limiting the access of unencrypted passwords to only properly setup 1PW applications would seem to eliminate the possible (probable?) web based attack vector to a 1password.com account. This doesn't make sense. What's a "properly setup 1PW application"? Presumably that's an instance of 1Password that has been given both the master password and account key for the account. But when you use the web-based portal, you have to give it, yep, the master password and account key. Anyone who is able to access the passwords using the web portal can already set up a local instance of the 1PW application that syncs with the same account. Ultimately, asking to "disable browser access" is basically the same thing as asking to "disable the syncing API", which would obviously defeat the entire point of having the family account. |
|
|
I trust the local 1Password apps enough to supply them my master password to unlock vaults locally.
I trust Dropbox enough to not sync the encrypted store somewhere I don't want it ending up.
It's a separation of concerns argument. I likely won't hold up to any targeted attack on my personal property given how careless I am with local devices but I should be somewhat protected against a your typical dragnet / mass attack against either service remotely.