top | item 43306281

(no title)

Rury | 11 months ago

Your the one that's grasping at straws and doesn't understand that 1P needs to store something in order to validate or generate your master password. The fact that this does happen, makes it less secure in comparison to not storing anything, as you can't hack something which does not exist.

> Given a sample set of passwords derived from a secret heuristic, it could be reversed. The secret heuristic isn't completely safe either.

Sure but this isn't the argument being made. As an analogy, not using any E2E is inherently less secure than using some E2E encryption, but using E2E encryption doesn't automatically mean you're more secure. Simply put, you had asked "What's the difference between a master password and a secret heuristic?" And that difference is a master password (or ways to generate it) must be stored outside your brain, and doing this is inherently less secure than not doing this.

discuss

commandersaki|11 months ago

I already told you what it needs to store and it isn’t the master password. No master password needs to be “validated” even when authenticating to 1P servers. You clearly have a fundamental misunderstanding of cryptography. Anyways this is all explained in the 1Password security whitepaper.

Rury|11 months ago

No I understand dual key encryption, and like I said, there is still something stored (the key as well as the passwords in the vault). What you do not understand is how this is inherently less secure than not storing anything at all.

To give you a concrete example, 1Password doesn't guarantee you from say, being compromised by a keylogger, and someone stealing your master password (never mind the key which is in fact stored). A secret heuristic doesn't necessarily face such risks. Sure that doesn't automatically mean a secret heuristic guarantees you better security, but that's not the argument.