And when I say that I will stop using 1password when the local vault no longer works, people look at me like I'm paranoid and crazy.
I've looked at the white paper https://1passwordstatic.com/files/security/1password-white-p..., I think 1password has a decent security posture for their cloud offering but then there's always the risk of a breach where the attacker controls the site and can intercept your master password through it. Same as what happened with British Airways or Lavabit.
There is always the risk of an attacker infiltrating the company to write vulnerabilities or a government forcing the cloud provider to write malicious code in order to degrade security. That's what the U.S. government almost succeeded at forcing Apple to do in the wake of the San Bernardino case.
A local vault is better than a cloud vault, but if that local vault software is written by a commercial company there's still that risk.
My understanding is the app decrypts the vault locally. I guess they could put out a malicious update but then you’d be impacted whether there was a cloud-free option or not.
Yes, but I think it would be harder to push a malicious update especially since currently 1password doesn't send information on the license when checking for updates. So a malicious update wouldn't be targeted as easily as logging in a web app.
Additionally exfiltrating the data would be harder for a locally stored vault..
Or controls one of the many apps. Every time I install the Firefox extension I wonder if I’m really able to be sure that I haven’t been directed to a compromised version or lookalike.
I've looked at the white paper https://1passwordstatic.com/files/security/1password-white-p..., I think 1password has a decent security posture for their cloud offering but then there's always the risk of a breach where the attacker controls the site and can intercept your master password through it. Same as what happened with British Airways or Lavabit.