2 comments

[ 5.0 ms ] story [ 13.2 ms ] thread
I'd always viewed password tools like this as less secure than 1Password etc.

With 1Password an attacker needs my encrypted vault and my master password to get my email password.

With this, they just need the master password (since they can guess the domain and revision number presumably?)

That's true, and should be viewed as a possible risk. However, there is still more implicit trust in 1Password and similar companies that is often not mentioned:

* They run mostly closed source system. Thus one has no idea what happens on backend, and what data is actually sent

* The encrypted vault already belongs to them. In fact, all encrypted vaults live in the same place, which makes it very attractive for hacker attacks

So effectively, leaking Master Password for 1Password might have just as bad effect as leaking it for DerivePass. Depending on how much you trust both entities.