Viewing a single comment thread. View all comments

2

twovests wrote

This is definitely a fair question. It's not entirely verifiable by onesself, and there's a lot weird security things to consider.

I also use 1Password. In terms of trusting someones server, that's actually a big reason they use end-to-end encryption. It means the server holds encrypted data, but not the means to un-encrypt. So, if 1Password's servers were compromised and the encrypted password vaults were downloaded, it'd still be extremely difficult and expensive to extract someones passwords from it. (They have a blogpost on this.) There'd be easier ways to get that information from someone. Relevant XKCD.

In terms of trusting code, it's rather difficult. There are open-source components that people may look at, but it's possible to sneak things in to code in a litany of ways. (Most popular: Ken Thompson's "compiler hack", 1984).

I don't know if I'm more tech savvy than you, but I can't verify any of this on my own. I do have some cryptography experience and I can vouch that 1Password's methods seem 1. Good, and 2. Rad as fuck. But my faith is in the vocal, extremely-critical, and never-satisfied tech community that is always prepared to rip to shreds any security company that fails.

Anyways, all this rambling aside, passwords are outdated but we still need them, and password managers are the only real option around the flaws of passwords. MFA / 2FA is also very very good, so even if your passwords are lost, they'll need to do more to get into your accounts. I use 2FA, so I could list my passwords here and still feel safe.