> Passphrase compromised? If they're hosting, you know exactly where to go to access my passwords. If I'm hosting, I can tell you that I use 1Password and my master password and I'm still _relatively_ safe in that you don't even know where to find a copy of my password database.
The above argument seems to turn out the same even for cloud-synced vaults.
If Dropbox suffered a massive hack, the malicious actor could take all the *.agilekeychain and *.opvault files stored there, brute force the master passwords locally, and have potentially complete control over some people's finances and online lives.
Absolutely. We can kinda diffuse that risk out though if we have these files across a bunch of different services (some use OneDrive, some use AgileBits, some use Dropbox, etc).
Would we be better off if instead of one company like Equifax having _everyone_'s information, we had a company per state?
That all said, I actually self-host my (now KeepassXC because 1Password's push to cloud) databases on my own hardware, so for me it's truly a solution.
The above argument seems to turn out the same even for cloud-synced vaults.
If Dropbox suffered a massive hack, the malicious actor could take all the *.agilekeychain and *.opvault files stored there, brute force the master passwords locally, and have potentially complete control over some people's finances and online lives.