We use 1Passwodr at work, at my suggestion from 10-12 years ago where it was an app on your device with an encrypted on device file you could chose to store on iCloud/Dropbox/GoogleDrive/wherever.
Then they changed to the web app and implemented teams, which is what we use today.
Work has decided the risk of 1Password going rogue is acceptable - but that's in the full knowledge that since they are serving the Javascript that's doing the client side encryption/decryption, there's no guarantee they can't serve (or be coerced into serving) malicious JavaScript that decrypts and exfiltrates all credentials and secrets any user has access to.
Pragmatically, I'm (mostly) OK with accepting that. If we have a threat model that realistically includes the sort of state level actor who could coerce a company like 1Password to launch an exploit against us - then we've lost already. Like James Mikkens said "YOU'RE STILL GONNA BE MOSSAD'D UPON!!!"
One of my hobbies is recreational paranoia though. So I use something else (KeyPass) for my personal stuff now.
Then they changed to the web app and implemented teams, which is what we use today.
Work has decided the risk of 1Password going rogue is acceptable - but that's in the full knowledge that since they are serving the Javascript that's doing the client side encryption/decryption, there's no guarantee they can't serve (or be coerced into serving) malicious JavaScript that decrypts and exfiltrates all credentials and secrets any user has access to.
Pragmatically, I'm (mostly) OK with accepting that. If we have a threat model that realistically includes the sort of state level actor who could coerce a company like 1Password to launch an exploit against us - then we've lost already. Like James Mikkens said "YOU'RE STILL GONNA BE MOSSAD'D UPON!!!"
One of my hobbies is recreational paranoia though. So I use something else (KeyPass) for my personal stuff now.