The reason I haven't used 1Password yet, though its auto-generated passwords have to be safer than what I'm using, is that you've...

  1. Got a single point of failure for all your passwords, and,
  2. Will transport those passwords through the cloud.

Looks like 1Password just started showing the issues with 1.)... From a wrap-up on Michael Tsai's site:

So it appears 1Password is sending data to the browser extensions over the loopback interface in clear text and not only passwords but credit card data as well if you use it for checkout forms. If anyone is sniffing your loopback they can get any data passing between the two.

The reply from 1Password makes some sense...

Officially our view is “if a malicious process with user privileges is running on the users machine when they use 1Password, there is little we can do”.

Fair enough, but, again, one mistake in their code means all of your danged passwords are out. If someone is sniffing your loopback, well, all your passwords and 1Password info is out.

If they make this sort of mistake in moving things around the cloud, it's no longer a local machine issue.

Use strong passwords, and keep your use of them to a minimum. Keep your laptops pretty clean and your home computers turned off when you're not using them. In short, be smart. Don't depend on a cloud service to be smart for you.

Labels: ,