You have secrets; we don’t. Why our data format is public

I love and use 1Password, but bear in mind that passwords are all it encrypts: the rest of the account details, such as URL, are stored in plaintext for an attacker to harvest. :(

I've been using 1Password for a few years now. I'm not qualified to comment on the security aspects of it - I'm trusting them and Apple to take care of that.<p>But I can comment on the superb quality of the user-facing aspects - it's a pleasure to use, has great iPhone and Dropbox support, and I really like the way they communicate as a company.

What's the difference between:<p>1) entering your 1Password master password in untrusted software<p>and<p>2) running untrusted software which could potentially keylog your 1Password master password?<p>Agilebits likes to talk about how 1Password protects against keylogging (<a href="http://help.agilebits.com/1Password3/security.html" rel="nofollow">http://help.agilebits.com/1Password3/security.html</a> and note the author here <a href="http://mackeyloggerprotection.com/" rel="nofollow">http://mackeyloggerprotection.com/</a> ) but what's stopping attackers/malware from keylogging your master password and exfiltrating your 1Password database and master password?

What password manager would you recommend for Linux? I use KeePassX but I wish I didn't have to copy-paste passwords onto website login forms.

In other words, Security through Obscurity does NOT work.

Also worth noting is the (linked) tongue-in-cheek <a href="http://blog.agilebits.com/2012/04/01/cipher-of-advanced-encryption-rotation-and-substitution/" rel="nofollow">http://blog.agilebits.com/2012/04/01/cipher-of-advanced-encr...</a>

Closed-source security software isn't worth very much in my eyes since you can never be sure that it does what the vendor says it does.

With the format being open I really wish a Linux client would happen already.