Jeffrey GoldbergDec 28, 2022

I and my employers, #1Password, have never directly criticized a competitor before. But #LastPass's claim that it would take "millions of years" to crack the data made available from the breach needed to be addressed explicitly.

I also take the opportunity to explain why 1Password's distinct security architecture would keep users safe if we were to be breached.

https://blog.1password.com/not-in-a-million-years/

Not in a million years: It can take far less to crack a LastPass password | 1Password

How 1Password goes above and beyond to protect you in the event of a data breach.

1Password Blog
Show threadLunatechDec 29, 2022
@jpgoldberg I understand that you and your employers believe with all your hearts that your servers can't be hacked and then user passwords obtained. But you used to give your paying customers the option to store their passwords on their own home systems only, and now you don't. The password that is never put in the cloud is the one that can't be hacked from the cloud. But for some reason your company has decided that your customers (again, PAYING customers, not freeloaders) should not be able to decide for themselves which method of storage they are most comfortable with. And that is why, if I am ever forced to stop using the older version of #1Password that still supports local password storage, I won't be using 1Password going forward. So, that's something else that will not happen in a million years - me and my family returning as your customers.
Show threadJeffrey GoldbergDec 29, 2022

@Lunatech, we explicitly said that we have to plan for being hacked. That is why we designed the whole Secret Key thing. It is to protect users in the event that we get hacked.

If your synching mechanism provides better privacy and security than ours, that’s great. I do not believe that that would be the case for the overwhelming majority of 1Password users. Security choices must be made among viable alternatives.

Show threadJeffrey Goldberg
@Lunatech, perhaps you have your own hardened rsync server or you only move your data around through purely local connections. And perhaps you never need to share some set of items with colleagues or family members. And that’s great. KeePass* may be a good choice for you. But my experience is that many people contrast our sync against an ideal instead of the reality of how they manage sync.
Dec 29, 2022 at 11:25pmWeb