Hacker News new | ask | show | jobs
by javagram 2565 days ago
I have never used 1password.com.

Adding 2FA to it is great but I think the best security is likely still just to sync and use local apps for this data, to avoid being exposed to any JavaScript vulnerabilities or if 1password.com were ever hacked.
2 comments
jmull 2565 days ago
I've been using 1password for some years, but I'm not even sure what the use case for the web site is.

I have a "vault" (1password's term for an encrypted file containing passwords and related info) that's sync'd across devices through dropbox (and accessed through a locally installed app), which I think is what you're suggesting.

Anyway, I think there's no particular need to access passwords through the site.

I'd definitely feel uncomfortable typing my 1password vault password into a web page or anything else besides the apps.

link
alienreborn 2565 days ago
1Password has Wifi Sync option too.
link
javagram 2565 days ago
Yep! 1password is great. I do use their cloud sync service with all the apps, I just don’t ever use the website or the browser extensions to limit my exposure.
link
AGKyle 2565 days ago
Note that the browser extension actually does limit your exposure quite a bit. You make trade offs here.

For instance, if you aren't using the browser extensions, how are you getting your password to the browser to sign in? Copying and pasting? It's possible for any app on your system to read the clipboard.

Drag and drop should be a better alternative there, as we now support that in 1Password 7.

The extension though uses either Safari App Extension (for Safari, obviously) or Native Messaging Host (Firefox and Chrome browsers) and aren't susceptible to clipboard type snooping.

The browser extensions also only present items that match the website you're on. This helps a lot in phishing attempts.

So, yea, you could not use the browser extensions but you're going to have to trust that YOU always do the right thing.

Note again that 1Password does not "auto fill" like other password managers, where simply visiting the site fills the data in. You always have to explicitly ask 1Password to fill into the page.

Just some insight anyway.

Kyle

1Password

link
javagram 2560 days ago
Thanks Kyle. I do appreciate your response! And the tip about drag-and-drop, I may make use of that :)
link