Wow, that’s a comprehensive response, thank you.
I know that LastPass and 1Password are both closed source solutions. It’s one of the main reasons I use Password Safe as it’s open source, has been audited several times and I’ve used it for years. I’m going to migrate to KeePass when I get time as it’s got more features and has received a €1 million security audit by the EU.
I prefer software that is under my control because if LastPass or 1Password go out of business they might not give a grace period for downloading your data. AxCrypt suffer from the same problem here in that respect because the password database is exclusively online. I’ve tested AxCrypt on my other computers and I can still decrypt files without an internet connection so I’m not at all concerned about losing access to my important files because I have a backup copy of AxCrypt.
I wholeheartedly agree with locking down the SSL configuration: it should be tight and secure. Now 3DES is obsolescent according to the US Government LastPass should stop using it.
The argument for having your servers in Sweden is a good one but it still relies upon me trusting you (just like I’d have to trust LastPass or 1Password) because your server source isn’t open sourced and it wouldn’t matter even if it was because there’d be no way I could verify whether that was actually in use.
I don’t know the mechanics of 1Password because I don’t use it but I’d like to believe that even if they’re using AWS that they’re checking data integrity on the database to stop this type of attack and they’re probably using a dedicated server instead of shared hosting which’d make it more difficult.