My point is that it doesn't need to sync. Ignore syncing. I'd even prefer to download and upload the backups by hand, rather than put it all in someone else's control in a browser environment.
Cloud password systems are like running all your security-sensitive code in an Electron app - an impossibly large attack surface with many significant flaws in some of your most-sensitive use. It doesn't make sense if you care about security at all. At least extensions are moderately well sandboxed compared to websites (since it'd be trivial to ship new javascript from their site).
Try building a password manager that doesn’t sync and let me know how sales go. :)
> Cloud password systems are like running all your security-sensitive code in an Electron app - an impossibly large attack surface with many significant flaws in some of your most-sensitive use. It doesn't make sense if you care about security at all. At least extensions are moderately well sandboxed compared to websites (since it'd be trivial to ship new javascript from their site).
You are correct in that the web browser is a very hostile environment. We're working to minimize what tasks need a web browser, and have already got it such that the entire sign-up flow can be completed in-app at least on iOS.
> Try building a password manager that doesn’t sync and let me know how sales go. :)
Well... 1Password arguably doesn't sync (until the cloud stuff). It stores files on disk, dropbox syncs it behind the scenes. Given my backup size vs how often I change it: I honestly wouldn't care if it were one blob that were uploaded / downloaded at once for every change, rather than all the small pieces it does now (I assume this is to speed up sync (by a ton)? It's also a major source of sync conflicts that lose data, since dropbox will store both copies on conflict (minus bugs), so it's a horse apiece).
So it works pretty well, apparently. See also KeePass* and many other local-only password managers which people sync via scripts / dropbox / etc. They're doing fine, though 1P is dramatically better than the competition and I'm plenty happy paying for it.
1Password X is an extension that is sandboxed. However, default sandbox is not enough. We also spent a huge amount of effort on its security model. Here is more information about it:
Cloud password systems are like running all your security-sensitive code in an Electron app - an impossibly large attack surface with many significant flaws in some of your most-sensitive use. It doesn't make sense if you care about security at all. At least extensions are moderately well sandboxed compared to websites (since it'd be trivial to ship new javascript from their site).