top | item 43305457

(no title)

Rury | 11 months ago

You asked what the difference was. Simply put, you can't hack what does not exist. LastPass also stores passwords encrypted and was hacked.

In other words, no matter of how well 1Password handles the storing of your master password (encrypted/decentralized or what not), the fact that it does is inherently less secure than something that doesn't store anything at all, such as the case with a secret heuristic.

discuss

commandersaki|11 months ago

LastPass didn't properly implement E2EE and because they used a weak password hash which affected low entropy passwords.

> In other words, no matter of how well 1Password handles the storing of your master password (encrypted/decentralized or what not), the fact that it does is inherently less secure than something that doesn't store anything at all, such as the case with a secret heuristic.

When I say 1P stores your master password encrypted, it usually does it as an item in the vault. You can easily remove it from the vault and therefore doesn't store it anymore, and you can have the same security as your secret heuristic. Storing it in your vault is of negligible concern.

Rury|11 months ago

You clearly are not a software expert.

If your master password is not stored anywhere, there is no way for 1P to know what your master password is - and so no way to validate what the correct password is to access your vault. Even if 1P doesn't store the master password on local disk, their servers, on a hard device, encrypted, unencrypted, or does it completely algorithmically or whatever... it is in fact stored somewhere outside your brain, and therefore more hackable than something that isn't stored anywhere other than your brain.