Yes, but in reality thats the same thing, no? Weather its my one password I use for all my sites, or 1password master password that gets access basically the same way? I mean, you find out your master password, your in. I can't explain it any simpler.
Ive held off getting 1password because of this very issue.
So, there's a lot of replies to this already but I'm going to try to start from the beginning.
Most people use the same password (or couple of passwords) for all of their sites. Lets say:
PasswordA
PasswordB
Sites also require an email address and/or a username. Most people again use the same email or username for all sites.
Lets say that SiteA is broken into and a malicious user gains access to the usernames and passwords for that site. You as a user used PasswordA for that site.
Malicious user could then look at the username and try it at any number of other popular sites (Banks, social media sites, email sites, etc) and try that username and password combination to see if they could gain access.
In other words, using the same username and password combination is a risk, one that we don't feel you should take.
You can read more detail into this above topic here:
http://blog.agilebits.com/2014/09/30/shellshock-is-bad-unique-passwords-are-good/
While the topic of that post is about Shellshock, the description of the issue is right in line with the questions you're asking.
Now, the solution to this issue is to use a password manager like 1Password, or any of the other similar tools. Our stance is always that you should use a password manager, even if it isn't ours because it's better than not using one at all. If you don't trust us, then there are others out there that do the same thing, including Apple.
When using a tool like 1Password you can generate random unique passwords for each site. Now if a malicious user breaks into a site and gets the usernames and passwords, they have a unique password for your login and it's not used anywhere else on any other site. You only have to change the password for that site, not all of the others if anyone gains access to the passwords.
Good so far?
Now, with 1Password you use a strong and unique master password. Mine is not random characters and letters and symbols. At least, not entirely. I used something called Diceware to generate my master password I then inserted some random symbols and numbers into it that makes it a bit more unique (this is all done randomly by the tool I used to generate the master password). It's something like 30 characters long. The benefit of dice ware is that it uses normal words from a dictionary so remembering it is far far easier and typing it is also quite a bit easier. They're also very secure.
Here's a bad password:
B@dP@$$w0rd
Here's a great password:
|||92.pass.England.soldier.Colombia.goodbye.enter.7|||
That's a bit longer but as you can see, even though it is longer than my ~30 characters it's still very easy to type.
I used this tool to generate it:
https://www.xkpasswd.net/c/index.cgi
Now, your second part is why trust a password manager instead? This is a complicated thing, but here's some food for thought.
1) We document our data format and make it available publicly so that other people can review the process in which we encrypt your data. It has been confirmed by a lot of big names because it is open to scrutiny. No one has indicated that our new format (CloudKeychain) is doing anything inherently wrong. This part backups our usage of encryption since it's verifiable that we're using the right tools.
2) Password cracking tools have open access to our format so they can attempt to crack into it. This further proves the strength of our tools
You can read more about 1 and 2 here:
http://blog.agilebits.com/2013/03/06/you-have-secrets-we-dont-why-our-data-format-is-public/
3) Your data is your data. We do not store your data on our servers. We optionally store it in Dropbox or iCloud. If you don't want to use a cloud server then you can sync via Wifi (to an iOS device) or a local folder on the computer (to other Macs/PCs). So, if you're cloud adverse you have options.
4) If you use a strong master password, like above, it would take thousands (likely several of orders of magnitude more) of years for someone to crack that password by brute force. So even if someone gains access to your data file they still need your master password, which is unique and not used anywhere else.
There's a lot here, so if you have questions I'm happy to answer anything I can. You are right in that if someone were to gain access to your master password and your data file then you did give them everything, but this is far less likely than someone obtaining a single password for a site. Keep in mind it's far harder to gain access to something that isn't available anywhere but on a physical device than it is to gain access to something that is on dozens of servers, perhaps not even encrypted (as we've found from many websites).
That means that your 1Password data is far far less likely to be in the hands of a malicious user than the username/password list from a website. You control 1Password, you don't control the website.
I'm happy to answer any questions you might have
