Strange that the article doesn’t specify the $100 for what… I assume computing power.<p>Headline reads as someone is offering as a service. Anyone else read it like that?
Can anyone explain why all the emphasis on hashing algorithms? Can't the attacker just treat the encrypted vault like a black box and brute force passwords against it? Or is there some additional key material that needs to be guessed along with the password?<p>For example, if the master password is one of the 100k most common passwords, can the attacker loop through those passwords and attempt to open the vault with each? So there would only be 100k iterations required? Or does each check need its own set of iterations?
Can anyone recommend some “offline only” password generation tools? I don’t see why passwords need be stored on a server at all.
Something with mobile support would be ideal
This blog post is the biggest load of shit I have read in a while, it jumps all over the place and does not deliver the message that it is trying to do. Instead it demonstrates arrogance by the author.<p>The difference between being breached and not being breached is huge and this authors mindset about 1passwords security would change a lot if he was in Lastpass shoes.
Goldberg's answer "The 1Password Secret Key may not be the most user-friendly aspect of our human-centered design..." is unfortunately true.<p>We experienced a lack of understanding on the user side that this secret key needs to be printed and stored safely. It feels like a huge barrier for the adoption of 1Password for non-IT affine people.<p>This and other challenges led us to develop heylogin which does not require a master password and has no secret key that needs to be printed. Instead we generate cryptographic keys using the user's smartphone. For providing your desktop browser temporary access to passwords you simply confirm on your smartphone. This feels similar to modern SSO solutions but is technically a password manager.