What I meant by it: Securing the system against breaches of, even encrypted, data.
I was trying to differentiate the security of access to the encrypted database from the security of the data inside the encrypted database, i.e., how hard is it to get it, instead of how hard it is to break once you have it.
Because I think that the security reduction discussed here (e.g., allowing weak masterpasswords) is on the "how hard is it to break it?" side, while the breach itself is on the "how hard is it got get it" side. Based on this separation, I don't think that the breach is a sign that the reduction was a price too high, because the reduction in security did not make the access easy - bad access security made that possible.
Every password manager is built with the idea that one day, the server will be hacked and the vaults will be free to download. The same goes for E2EE in general.
With this in mind, LastPass and Bitwarden's solutions are very poor and can result in most customers vaults being breached, whereas 1Password's secret key model stays strong.
Maybe that's a better way of restating my point that access security is not identical to the security of the password store.
> With this in mind, LastPass and Bitwarden's solutions are very poor and can result in most customers vaults being breached, whereas 1Password's secret key model stays strong.
While believable that most peoples passwords are weak enough to be broken, I wonder how many people actually have bad enough passwords to be reasonably decrypted.
I have no doubt about the security of 1passwords secret-key model being stronger - and I haven't seen anyone claim any different. At most I have seen anyone claim it is cumbersome and will get people to use no password manager instead (resulting in weak, reused passwords).
