I just migrated over to 1PW for Families, and I have a few security concerns:
1) As part of your security protocol, 1PW uses a 3-part login -- the user name, the account key, and the master password. Now, on my iOS devices, when I launch the web app via Safari, the user name and the account key (partially obscured) are both pre-filled. This information does not appear in the iOS > settings > safari > saved passwords section (which is good). When I clear Safari's cached data, the fields are no longer filled. So where is it stored? Doesn't that present a security risk? Anyone who knows how to view the website's source code could potentially see the unobscured account key. I'm not sure if that can be done with Safari, but I can do it in Firefox with a plugin called Firebug. To be honest, I would prefer that all 3 fields remain unfilled by default. I know that can be done by checking the "public or shared computer" field, but I can't be sure all of my invited family members will do the same. The bottom line is, it defeats the purpose of having both an account key and a master password if one is automatically pre-filled as soon as the page loads. In addition, if all 1PW users have their account keys stored in Safari's data file, which is typically backed up through the daily iCloud backup, this seems like a pretty major weakness, and sooner or later a target for hackers.
2) As a long time 1PW for iOS user, I'm accustomed to a high degree of security, including the fact that the app locks as soon as I switch to another app. This is very good. But the new web app (accessed via both iOS and Windows, concerns me. I haven't tested it fully yet, but what happens if I forget to log out of the web app? Is it still accessible? I'm worried because now several family members, each with several devices and living all over the country, will have my account key stored in their browsers. Please help me feel better about this.
3) This is not a security question, but it's related to the above. When I cleared the Safari cached data and then launched the URL, the 3 fields were indeed blank. But when I clicked on the 1PW browser extension to fill in those fields, it didn't quite work right. The 3 fields are, in order, user name, account key, and master password. But 1PW left the name field blank, then put my user name in the second field where account key goes. It did fill the master password field properly. FYI, in my 1PW login entry for this website, I manually created an "account key" field. So the information is all there, but the browser extension doesn't populate the fields correctly. Is this a case where I need to manually create the login from the filled website login form?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided