Rated 2 out of 5 stars
Dear Developer, I wished, y o u read, what I wrote:
Passwords are PRIVATE, which means: The only place they are made for is the user's home (or at least a place, only the user can access) who created it. Your machine may encrypt them (btw, one user found, that the master password for this storage is identical to the login-password to the account on your machine...?!?). But even i f they are encrypted, one have to send you the not encrypted passwords as well as the 'master password' to encrypt them.
This way every traffic listener on the web with enough knowledge can catch this data... and what kind of 'security' is this? You need to receive the not encrypted passwords to be able to encrypt them and... you know the master password... of course you also know the encryption algorithm ... what else can one offer you to access every single password (this method you call trustworthy???)? If you was smart enough, then you also created a 'comment' field for every stored password, so that the users are 'able' to remember where these passwords fit... (as well as you, what a convenient solution!)
Hm, do you need more? No, man, I'm not paranoid, but you seem to think, all people trust in strangers... may be some do - I WON'T.
Would YOU give all your passwords to me, if I'd tell you, they will be encrypted? You know what? There are indeed methods for such a kind of storage on a server, BUT before one single password leave a machine, it has to be encrypted LOCALLY with an algorithm AND password, which WILL NEVER leave the local machine. This would be safe, because nobody can decipher them (no sniffer, nobody in your network). And if you are a really correct person, then you think about that, what I and TheAssasin have mentioned.
We are using the method that you consider safe! Please check and see for yourself!
To quote you directly:
"There are indeed methods for such a kind of storage on a server, BUT before one single password leave a machine, it has to be encrypted LOCALLY with an algorithm AND password, which WILL NEVER leave the local machine"
This is __EXACTLY__ what LastPass does! You don't have to take our word for it either, other people have verified that it's true, and we will help you verify that it's true yourself if you'd like to verify it.
I don't expect everyone to take what we're saying at face value, I expect them to verify, and once they do, they realize that what we're doing is secure. By the same token, I'd hope you'll consider checking into what we're doing further, the user who questioned how our login password worked did and verified every aspect of the solution and was satisfied.
We'd like nothing more than a large number of people verifying what we're doing, we're not infallible we realize that more eyes = more safety.