[sciens3_]

Centralizing everyone’s credentials after all these years still seems like the most risky idea ever. The only thing possibly more attractive to a hacker would be free sex and drugs, but only for a little while, and then they’d go back to trying to steal everyone’s credentials.

Some other targets: everyone’s PII, info on friends, family, pets, answers to security questions, mobile IDs, PIN numbers, account numbers, signatures, photos, fingerprints, voice patterns, facial and retinal scans, gaits, DNA, mitochondrial RNA.

[n8m8]

I have similar gripes, but I still feel like on balance, randomizing passwords across accounts is more important. Selfhost vaultwarden ftw (or not — don’t f*ck it up)

[sciens3_]

> Selfhost vaultwarden ftw (or not — don’t f*ck it up)

Right. Randomizing passwords doesn’t require centralization.

[namaria]

Truly the chain of decisions that got us here is baffling.

"Use random high entropy passwords for each account"

good

"Store them encrypted"

great

"In a computer publicly available on the internet"

wat

"Under an account that also handles your 2fa tokens"

c'mon now!

[commandersaki]

If you do e2ee correctly this is a non-issue. See 1Password for one way to do to it right.

[namaria]

https://www.bleepingcomputer.com/news/security/1password-dis...

https://www.forbes.com/sites/daveywinder/2023/12/11/android-...

https://www.zdnet.com/article/hackers-stole-this-engineers-1...

[commandersaki]

How is any of this a threat to 1Password E2EE?

The point is if they even have access to my encrypted data, they wouldn't be able to access the plaintext without the key (and yes the passphrase is not sufficient).

This is just lazy scaremongering.