I wonder if these risks are also with a service like 1Password. How can you know if they are in fact, actually encrypting every single detail associated with the login? It’s not like we can view the servers ourselves.
1Password also uses a secret key in addition to your master password to encrypt your data. You enter the secret key when setting up the account on a new device.
So a hacker would have to get hold of the encrypted data, together with the secret key for each account. The secret key isn't stored by 1Password, requiring the hacker to brute force it. However, each key provides 128 bits of entropy, which makes it infeasible to brute force with current technology.
But the issue in this thread is less about how the encryption is done compared to the amount of data that is actually encrypted. I wonder if 1Password encrypts everything, in addition to passwords.
My understanding is that they do, but there are some caveats. For example the feature that tells you if 2fa is available for a website presumably requires sending an HTTP request to 1Password servers including the domain of the website.
Although it's possible they implement this with a local bloom filter or something. I'm just speculating. And either way, those requests would only end up stored in some server logs somewhere, rather than in a database row directly linked to your vault.
BitWarden and other self-hostable open source solutions do allow you to verify everything is encrypted, though you have to self-host to truly verify it (since it's always possible the official hosting service runs different software)
