I know my master password is strong and you guys encrypt from end to end, but I thought I would share this
@prime: Thanks! I saw that earlier when making my rounds, but hadn't had a chance to investigate further. I'm moving this to the Lounge category though, since it isn't platform-(or 1Password-) specific.
This is exactly why we publish design documentation for our data formats and use end-to-end encryption. The only way for a system to have perfect security is for it to be locked down completely — and of course that precludes us being able to access data remotely... But 1Password has a single way in: your Master Password.
Tokens are a problem, but it's important to note that, again, these exploits require device access — not necessarily physical access, but it needs to be compromised in order to steal the token in the first place. As always, the best thing to do is to only give and receive information to/from trusted sources: keep untrusted software out of your systems, and don't give anything away to an unknown entity.