(no title)
commandersaki | 13 days ago
1Password did really well, but doesn't get off scot-free as there's a vault substitution attack described in Appendix D where an attacker could substitute a vault and freshly created items in said vault by the user could be read by the attacker. I don't think in any stretch it would be easy to pull off, and I imagine to apply the fix despite simple would require a significant architecture overhaul across 1P applications, protocol, and architecture. But otherwise it does well against its rivals, and a lot of it is thanks to having a high entropy key masking the password used to unlock a vault, meaning dictionary attacks are not even possible.
No comments yet.