That's true, and should be viewed as a possible risk. However, there is still more implicit trust in 1Password and similar companies that is often not mentioned:
* They run mostly closed source system. Thus one has no idea what happens on backend, and what data is actually sent
* The encrypted vault already belongs to them. In fact, all encrypted vaults live in the same place, which makes it very attractive for hacker attacks
So effectively, leaking Master Password for 1Password might have just as bad effect as leaking it for DerivePass. Depending on how much you trust both entities.
2 comments
[ 5.0 ms ] story [ 13.2 ms ] threadWith 1Password an attacker needs my encrypted vault and my master password to get my email password.
With this, they just need the master password (since they can guess the domain and revision number presumably?)
* They run mostly closed source system. Thus one has no idea what happens on backend, and what data is actually sent
* The encrypted vault already belongs to them. In fact, all encrypted vaults live in the same place, which makes it very attractive for hacker attacks
So effectively, leaking Master Password for 1Password might have just as bad effect as leaking it for DerivePass. Depending on how much you trust both entities.