Using a password manager as a service is my point of contention.
Even if stand alone app vendor goes away, the app still works. There are things that I see are okay as a monthly service like Netflix or other content provider where the content is literally changing month to month.
Stand alone software that rarely changes, like 1Pass, does not warrant a monthly service fee from me. I am self-hosting the content, so I don't need their cloud services.
Hacking aside... these are many ways in which it can go wrong:
- There can be an outage and you get locked out of your keys. You can have a connectivity issue to the service.
- The service can be discontinued or they could randomly terminate your account based on some automated system decision by mistake, sometimes with no right to appeal...
- They can change leadership and start mismanaging the service, or start selling your data like the services you use and such.
- They can start cutting corners and rushing unsafe things live.
- They can offshore all their development and reboot the team somewhere cheaper, at the expense of introducing defects during the transition.
- They can be ordered by a government to have a backdoor.
- There can be disgruntled employees, infiltrators, bad hires, malicious employees, etc...
And finally, they're a famous service that is known to have the keys to many other systems. This makes it very lucrative for a black hat to attempt to hack them. Even smart, dedicated people are not safe from 0day vulnerabilities that nobody know they exist.
Many things can go wrong. And what happens when they do? you can get locked out of essential services you need, or someone can ruin your life, force you to pay a ransom or even make you homeless if they wanted to.
Then, there are other aspects I don't like much. You can set a secure password, but then your browser will ask you to remember it. Some services allow you to skip MFA in a trusted computer... so then all your stuff is simply behind physical access to one of the trusted devices.
I don't know, it just doesn't feel right to me.
And by the way: I started by saying it's an opinion. It's an unpopular, provocative opinion, but I was honest enough to communicate it was indeed an opinion. I did not say it was a fact. Opinions are subjective, facts are not.
