Differences

This shows you the differences between two versions of the page.

--- hosted_pwm [2026/05/23 01:56] – particles
+++ hosted_pwm [2026/05/23 02:34] (current) – particles
@@ Line 1: / Line 1: @@
 ====== Hosted password managers: I avoid them ======
-I tend to avoid any hosted password manager, like LastPass, Bitwarden, and 1Password. All of these password managers share the feature that you must enter your "master password" on a //website// or an application hosted on a web URL.
+I tend to avoid any hosted password manager, like LastPass, Bitwarden, and 1Password((Unlike LastPass, Bitwarden, and Dashlane, 1Password is significantly more resilient to most forms of attack due to the presence of the "secret key", which, if lost, would cause the loss of all vault data. The secret key is elaborated on in //Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers// by Scarlata et al. The caveat is that the trivial client compromise is still possible.)). All of these password managers share the feature that you must enter your "master password" on a //website// or an application hosted on a web URL.
 It is absolutely trivial for any website to be transparently updated to capture and store your "master password" or other credentials. A simple programmer error, failure in a CI/CD pipeline, or credential failure at the password manager company can lead to a full compromise of the hosted stack with relative ease. Also, because these companies manage credentials for all of their customers, they are prime targets for hacking.