AgileBits has promised to beef up the security of 1Password after a Microsoft software engineer discovered that details of which websites you visit are unencrypted and indexed by Google if you use the 1PasswordAnywhere feature. Dale Myers said that he discovered this by chance after a sync problem led him to investigate the files used to store the metadata.
It turns out that your metadata isn’t encrypted [allowing someone to] go through and find out exactly what shady sites I have accounts on, what software I have licences for, the bank card and accounts I hold, the titles of any secure notes I have, any anything else I’ve decided to store in there.
While passwords remain secure, privacy is placed at risk and the data obtained could, says Myers, be used in a phishing attempt.
Thanks to people having links for easy access to their keychain on their websites, Google has indexed some of these. A simple search brings up results. By looking at one of these it was a simple matter to identify the owner of the keychain and where he lived. I know what his job is. I even know the names of his wife and children. If I was malicious, it would be easy to convince someone that I had compromised their account and had access to all of their credentials.
AgileBits said that the decision not to encrypt metadata was taken back in 2008, when decryption on mobile devices involved significant performance and battery-drain issues, and that it introduced a secure file format in 2012, but that it didn’t want to break compatibility with older versions by making that format the default.
The company said that work on making the secure file format the default was already in hand.
We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users.
For those who don’t want to wait, the company has posted instructions for manually migrating to the new format.
The 1Password iOS app was updated last month with a new design, new password-generation features and iOS 9 features. If you’re not yet using a password manager, check out our how-to guide.
FTC: We use income earning auto affiliate links. More.
I think 1P is just a crap product. When registering at a site it logs that URL. Then I use the password suggestion from Safari, which gets saved in the keychain. The site then tells me it doesn’t adhere to the password criteria (one digit, one capital letter, no hash or hyphen… and so on). If I right-click the password field and chose 1P I cannot enter the site’s criteria. So I type in a password myself. Yup, 1P saves it as a new entry. Safari simply asks me if I want to update the saved password. Much cleaner, and that just works.
When going to that site where I just registered Safari can log me in, 1P thinks it’s a new website login as the URL has changed, so offers to save the password. My 1P list is ridiculous long, and I don;t feel like editing it all out since Safari / Keychain already work.
Then there’s the OSX 1P interface; totally missing the point on how to design software. And I can’t sync the DB as I didn’t purchase the desktop app through the MAS but through the webshop from AgileBits themselves (which was actually their recommendation¡)
People, if you’re planning on buying a PW manager; don’t buy this one. Or don’t buy any; Apple’s Keychain works just fine.
I use LastPass, and have the same issue that I have to manually trim the URL back to the root when first saving passwords. That’s habit now, though, so I do it on auto-pilot.
I use both Keychain and 1Password. I’d dump 1Password for Keychain but it’s UI is in sore need of an update: having to type/paste in one’s account password each time you want to get to a stored login password is incredibly awkward. And, unlike 1Password (and other dedicated password managers), it’s not meant to hold anything more than logins. 1Password will hold accounts, credit cards, the works. Very useful.
I don’t use 1Password everywhere so I’m not sure this latest vulnerability applies to me but I’ve found the company pretty decent about clearing up problems when they arise. 1Password is far from perfect but it is useful and so far it’s worked pretty well for me (along with Keychain).
I’ve been using 1Password for years in iOS and on my mac. I have not experienced the pain you have. I find the password generator feature very flexible in meeting a site’s password rules. Sure, from time to time a URL changes at a website and I have to re-save that login entry with the new information, but this doesn’t happen that frequently. Its a minor issue and one I do not attribute to 1Password’s product. With no similar standards followed across all the websites we encounter on a day-to-day basis…. for 1Password to handle as many of them as it does, is a testament to how hard they work in maintaining a tool that is convenient and safe to use.
I’ve been frustrated with the same issues but I still find 1P to be beneficial enough to keep it around. Sometimes I find Apple’s method to not capture the credentials and then not use credentials that were captured. It’s rare but it happens. Both have their issues.
I also agree that the UI needs a makeover. 15 some odd years ago I was a Windows user for a few years and my first foray into having a password manager was something called Roboform. It worked great and exactly the way I wanted it to. No idea how good it is now but I still wish Apple’s and AgileBit’s solutions worked as good as that did then.
Heh, yeah, I used Roboform too. Feels a long time ago now!
I’m Megan and I work for AgileBits, the makers of 1Password.
I’m sorry to hear that you’ve been feeling frustrated with 1Password. We generally recommend disabling the browser’s built-in password management and autofill function, as that can cause confusion, but it’s not absolutely necessary.
It sounds like you’re experiencing some issues with the 1Password browser extension, such as the autosave prompt not appearing when expected, the form filling function not working where expected, and the password update prompt not appearing when expected.
What we’d like to do is recommend that you temporarily disable Safari’s password management and form filling functions, just until we get this sorted out, and then you can enable it again. Blog comments aren’t the best place for troubleshooting, so we invite you to email us at firstname.lastname@example.org. Our support team would love to help get 1Password working smoothly for you. :)
For users who sync their library with iCloud, the OPVault format is the default format. See support page: https://support.1password.com/switch-to-opvault/
I love Dashlane. I hope it’s secure!
If Google were indexing everything in my Dropbox I’d be in lot more trouble then just what’s plaintext in my .agilekeychain file!
So can @benlovejoy please explain how users are at risk here? The program offers sync through Dropbox or a local folder; how does that get on the public internet?
It’s explained in detail in the linked blog piece, David – I decided it was a bit too involved to quote in the piece here.
Thanks for replying Ben, but it still reads like a big nothing burger.
Dale’s blogpost starts with the sentence:
“… 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software.”
He links directly to an AgileBits support document with instructions to use 1PasswordAnywhere. Step 1 of their instructions read:
“1: Log in to the Dropbox website.”
Since my Dropbox account is secured behind 2-factor authentication, no one else has access to the files it contains be they plaintext, encrypted, or just downright explicit.
So the _only_ way this is an issue is if someone were to upload their .agilekeychain directory to an Internet web server, presumably so they can access it without the tedious effort involved with logging into the Dropbox website. That is, if they decided against following the directions provided by the software vendor and just threw a folder full of files onto the public internet without knowing what that folder contains.
Should someone who does that be angry at AgileBits for misleading them about the security of this folder full of files if AgileBits has not, in fact, made any assurances that this folder is completely secure?
So Dale Myers used Teh Google to search out poor misguided individuals who posted embarrassing information on their website, and has now alerted the rest of the world to the treasure trove of voyeuristic enjoyment that provides. I think you can tell which of these players has my respect.
AgileBits thinks it an issue worth fixing, so personally I think it worth flagging up to our readers.
PhilBoogie writes “If I right-click the password field and chose 1P I cannot enter the site’s criteria”. But that’s simply not true. The “Password recipe” disclosure triangle is right there in the fly-out menu, and suggested passwords can be fine tuned for the site’s acceptance.
Furthermore, while 1Password defaults to offering to save a modified password as a new entry, the “save as new entry” is a pop-up menu that also contains the choice to “update existing”.
Read Dale’s blog post, as well as AgileBits’ response. I am guessing from what I read, but is sounds like if I only use Macs and iOS devices, and only use iCloud sync, then I am not at risk. Is this correct, or your understanding as well?
I am assuming so, because a search for “.agilekeychain” on my Macs results in no files.
Based on 1Passwords documentation as long as you are using iCloud to sync your library, you are using the OPVault format and therefore, you are not at risk. See the local format vs sync format… https://support.1password.com/switch-to-opvault/