I have an idea how to bring the security of 1Pasword to a new level. Installation of 1Password on a desktop/laptop computer and a mobile device is required for this.
Probably the biggest security risk with using 1Password is if the computer where 1Password has been installed on gets compromised by some kind of trojan horse. Then everything can happen. The master password could be derived while typing, the 1Password database copied somewhere else and the attacker had access to all the data.
Since a lot of people will have an iPhone/iPad/iPod with 1Password installed on it, this installation could be used to increase the security of 1Password on the desktop computer.
This could be achieved, if the desktop computer does not use its own 1Password database but retrieves data from the mobile device. Networking functions between the desktop and mobile installation of 1Password have been implemented for synching the 1Password database. 1Password could be enhanced by putting 1Password on the mobile device in some sort of server mode where the desktop installation of 1Password retrieves data from. Each time, the desktop edition wants to retrieve data, the user has to accept the request on the mobile device. Thereby, no data can be retrieved secretly by malware on the the desktop.
Necessary steps to establish this kind of security:
1. Couple 1Password on the mobile device and the desktop. This has to be done only once like bluetooth device pairing.
2. On the mobile device, start 1Password and put it in "server mode" when access to 1Password data will be needed.
3. Now surf the web and use the 1Password plugin like always. Everytime the user wants to fill in secret data on a web site, the plugin requests data from 1Password on the mobile device. The user has to accept the request. In this mode, all changes "would you like to update the data for account..." happen on the mobile device and are synched back encrypted to the desktop.
I think such a funtionality could be implemented with moderate effort while providing an unprecedented level of security. The impact on the user experience/comfort is very low. Just pressing a button to accept a request for a new level of security seems acceptable to me. Nobody will be forced to use this feature, since it had to be optional anyway.