1Password to change file formats after key file found to contain unencrypted data

Posted:
in Mac Software edited October 2015
1Password makers AgileBits have promised to change one of the default file formats in the software in response to a blog post by Microsoft engineer Dale Myers, who revealed that an AgileKeychain file was displaying unencrypted metadata.




Associated with the software's 1PasswordAnywhere service -- which allows remote access without having 1Password installed -- the file contains the name and address of every stored item, which could potentially reveal large swaths of personal information such as visited sites, bank accounts, and purchased apps, Myers said. Worse, keychains hosted on websites are indexed by Google, which could make it easy to learn someone's personal details through an informed Web search.

In its defense, AgileBits insisted that AgileKeychain was still secure, and noted that the format dates back to 2008 when the company was concerned about speed and battery drain problems caused by encryption. It introduced a secure format called OPVault in December 2012, but chose not to automatically migrate everyone since the switch might cause compatibility problems with older versions of 1Password.

The company is already transitioning to making OPVault the default format, starting with the latest 1Password for Windows beta. Mac and iOS upgrades should happen "soon," AgileBits said, and the technology is eventually coming to Android. Only once all these changes happen will migration become automatic.

In the meantime, the company is offering instructions on how to use OPVault where possible. People who only use the 1Password iOS app, for instance, can choose to sync via iCloud.
«13

Comments

  • Reply 1 of 49
    auxioauxio Posts: 1,990member
    Quote:

    Originally Posted by sog35 View Post

     

    WTF.

     

    This is ridiculous.  All trust lost.




    Seriously.  As a security-related company you need to have one guiding principal be highest priority: keep information secure.  If you sacrifice that for anything else, you're dead in the water.

  • Reply 2 of 49
    So what. The keys might be visible on some old files - this app is about securing the value behind the keys.

    But it is a "splendid" idea from a M$ employee to brag about such informations without contacting the software maker first. It means that displaying his find was more important than the security of the few remaining users that uses winsux mobile. Perhaps should 1password simply pull that app from M$ store.
  • Reply 3 of 49
    crowleycrowley Posts: 5,834member

    Didn't use the Anywhere service, but this is a bit concerning; 1Password is a crucial application for me and many others, and if anyone had access to that data they could do major damage.  I'm not going to reactively crucify them for issues with a legacy format for a service that I didn't use, but they need to make a good response to this, and quickly.

  • Reply 4 of 49
    Quote:
    Originally Posted by sog35 View Post

     

    WTF.

     

    This is ridiculous.  All trust lost.


     

    According to Wikipedia, Apple is the exact same. Guess it's Windows for you.

     

    https://en.wikipedia.org/wiki/Keychain_(software)

    Quote:

     The keychain file(s) stores a variety of data fields including a title, URL, notes and password. Only the passwords and Secure Notes are encrypted, with Triple DES.


     

    Apple's documentation supports this

    https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/keychainServConcepts.pdf

    Quote:

    For keychain items that do not need protection, such as certificates, the data is not encrypted....


     


    As you might expect, Internet passwords include attributes for such things as security domain, protocol type, and path. The passwords or other secrets stored as keychain items are encrypted.... The attributes are not encrypted, however, and can be read at any time, even when the keychain is locked. 


  • Reply 5 of 49
    sflocalsflocal Posts: 4,627member

    I've been seriously considering 1Password's service to better manage passwords.  Apple's method has a lot to be desired.



    I'll keep an eye on it, but I'm holding off for now.



    It's absurd that a security company even remotely considered (at one time) having unencrypted data.  Just ridiculous.  They burned the trust for a lot of people.



    What's your take on this Solips?  I know you're a big fan of the service.

  • Reply 6 of 49
    auxioauxio Posts: 1,990member
    Quote:

    Originally Posted by Crowley View Post

     

    I'm not going to reactively crucify them for issues with a legacy format for a service that I didn't use


     

    If you read the blog post, it looks like they're still using the insecure format as default if you set it up on OS X:

     

    Quote:


    If you create an OPVault on OS X, you must enter a password hint


    . . .


    Furthermore, 1Password does not create the OPVault by default. It still sticks with the Agile Keychain with no information about the security risks. In fact, convincing 1Password for OS X to even allow you to use the OPVault format can require the use of the command line: https://discussions.agilebits.com/discussion/39875/getting-your-data-into-the-opvault-format


     

    So it's not really as legacy as they're leading people to believe.

  • Reply 7 of 49
    paxmanpaxman Posts: 4,595member
    sflocal wrote: »
    I've been seriously considering 1Password's service to better manage passwords.  Apple's method has a lot to be desired.


    I'll keep an eye on it, but I'm holding off for now.


    It's absurd that a security company even remotely considered (at one time) having unencrypted data.  Just ridiculous.  They burned the trust for a lot of people.


    What's your take on this Solips?  I know you're a big fan of the service.

    Solips will provide a much better answer than I possibly could and he uses the app in more depth, I believe, but I have used it virtually since its introduction and I will not change at this point. I don't use the service in question either and yes, it should not have happened, but the app is awesome, they will fix this very quickly their livelihood depends on it. I'll be following wiser people's lead but I won't be din't no knee jerking yet.
  • Reply 8 of 49
    Android support will be hard as the majority of devices have severe performance issues with AES. (Hence why their devices still aren't encrypted) The lacking performance on that side of the market is already representing a serious JavaScript performance issue as well.
  • Reply 9 of 49
    auxioauxio Posts: 1,990member
    Quote:
    Originally Posted by konqerror View Post

     

    According to Wikipedia, Apple is the exact same. Guess it's Windows for you.

     

    https://en.wikipedia.org/wiki/Keychain_(software)

     

    Apple's documentation supports this

    https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/keychainServConcepts.pdf


     

    Nice attempt to spin this.  You should read the full blog post first to understand the worst part about the information being leaked:

     

    Quote:

     The second concern, and possibly larger concern, is that the login location is stored with the entry title. In other words, if I sign in at https://example.com/login then that is stored with the keychain entry. In 99% of cases this isn’t an issue. It’s the 1% of cases which are a concern. Developers aren’t perfect. We make bad decisions and sometimes dangerous ones. Recently I signed up with a large ISP in the UK and had to reset my password due to a bug on their system. I was sent an email with a reset link in the email. I click the link, enter a new password, and press submit. At this point two things happen. The first is that my password is reset. The second is that 1Password prompts to save my credentials. Since I used an auto-generated password and I like to keep my passwords secure, I click save. Now my new password is stored in my keychain. What if my ISP made a mistake with that email link though? Maybe they made the mistake that is all too common… So I go back to my email and click the password reset link again. Sure enough, I get prompted with a screen where I can reset my password again. They didn’t check to see if I had already used the link. And now that link is stored in my 1Password metadata, publicly accessible. Anyone can go and paste this link into their browser and they have full access to my account. Presumably I don’t need to explain any more about how that is a huge issue?


     

    The password for your Keychain can only be changed from an authorized device (not a publicly accessible URL).

  • Reply 10 of 49
    Quote:
    Originally Posted by auxio View Post

     

     

    Nice attempt to spin this.  You should read the full blog post first to understand the worst about the information being leaked:

     

     

    The password for your Keychain can only be changed from an authorized device (not a publicly accessible URL).


     

    You completely missed the point. Read the original blog post again.

     

    Quote:

     So what’s the problem? Well, it turns out that your metadata isn’t encrypted.




    Quote:

     The answer is the name and address of every item that I have in 1Password. Every single one. In plain text.


     

    The concern is that the password reset link, for say, randomecommercesite.com, can be accidentally saved and used a second time. Keychain can do the same. It has nothing to do with changing your keychain password. Read the original blog post again. Apple is identical in the handling of website addresses... unencrypted.

     

    Make sure you have your own understanding correct before accusing others of spin.

  • Reply 11 of 49
    nasseraenasserae Posts: 3,157member
    Quote:
    Originally Posted by sflocal View Post

     

    I've been seriously considering 1Password's service to better manage passwords.  Apple's method has a lot to be desired.



    I'll keep an eye on it, but I'm holding off for now.



    It's absurd that a security company even remotely considered (at one time) having unencrypted data.  Just ridiculous.  They burned the trust for a lot of people.



    What's your take on this Solips?  I know you're a big fan of the service.




    I have noticed this long time ago when I inspected the AgileKeychain files. You can only see the name of the item and the website address. This is why I have my 1Password vault in private Dropbox folder. I also have all my questions saved as passwords just in case. However, this is something they should address. If someone bought the latest version of the software then they should have the latest security feature and not be held back by legacy crap.

  • Reply 12 of 49
    auxioauxio Posts: 1,990member
    Quote:
    Originally Posted by konqerror View Post

     

     

    You completely missed the point. Read the original blog post again.

     

     

    The concern is that the password reset link can be accidentally saved and used a second time. Keychain can do the same. It has nothing to do with changing your keychain password. Read the original blog post again. Apple is identical in the handling of website addresses... unencrypted.

     

    Make sure you have your own understanding correct before accusing others of spin.




    If you can tell me how I can change my Keychain password with a URL, I'll rescind my comment.  It's simply not possible afaict.

     

    And yes, I understand that other URLs used for password changes might be stored in there, so that's a concern.  But the Keychain password itself cannot be compromised this way.

  • Reply 13 of 49
    Quote:
    Originally Posted by auxio View Post

     



    If you can tell me how I can change my Keychain password with a URL, I'll rescind my comment.  It's simply not possible afaict.


     

    Read the blog post. It's NOT your keychain password. The concern is with third party sites with reusable password reset links. I believe Safari encrypts history to protect on this, but I'm not on a Mac right now to check.

  • Reply 14 of 49
    crowleycrowley Posts: 5,834member
    Quote:

    Originally Posted by auxio View Post

     



    If you can tell me how I can change my Keychain password with a URL, I'll rescind my comment.  It's simply not possible afaict.


    Who said it could?  Not sure what you're reacting to here.

  • Reply 15 of 49
    auxioauxio Posts: 1,990member
    Quote:

    Originally Posted by konqerror View Post

     

    Read the blog post. It's NOT your keychain password. The concern is with third party sites with reusable password reset links. I believe Safari encrypts history to protect on this, but I'm not on a Mac right now to check.


     

    ok, I'll put my time where my mouth is and test this out: I'll reset a password for a website I use, store it in my Keychain, and check to see if there's anything in the Keychain data which could expose this.  Given that no one has reported it as an issue (especially in light of this article), I'd be very surprised if there is.  But obviously one can't be certain without checking themselves.

  • Reply 16 of 49
    kpluckkpluck Posts: 500member

    LOL..typical ignorant AI responses.

     

    -kpluck

  • Reply 17 of 49
    nasseraenasserae Posts: 3,157member
    Quote:

    Originally Posted by konqerror View Post

     

     

    Read the blog post. It's NOT your keychain password. The concern is with third party sites with reusable password reset links. I believe Safari encrypts history to protect on this, but I'm not on a Mac right now to check.




    Shouldn't the password reset link expire after short period of time making the link useless?

  • Reply 18 of 49
    auxioauxio Posts: 1,990member
    Quote:

    Originally Posted by Crowley View Post

     

    Who said it could?  Not sure what you're reacting to here.




    I misinterpreted the original article and thought that you could change the 1PasswordAnywhere database password using a reusable URL.  In which case, if someone was able to reuse that URL via discovering it in the unencrypted metadata, they'd have access to your entire 1Password account.

     

    This would be akin to being able to change your Keychain password using a URL (which you can't) and it exposing that same data.

     

    However, I now see that the blog post was talking about changing passwords for other websites.

  • Reply 19 of 49
    I'm sure many of us are using the iOS app and Mac app. Just make sure you sync through iCloud and this is a non-issue. If you are syncing through Dropbox, you can change to iCloud and delete your Dropbox sync files. This really is blown way out of proportion. The MS guy who started this is still using 1Password. That should say something.
  • Reply 20 of 49
    auxioauxio Posts: 1,990member
    Quote:

    Originally Posted by kpluck View Post

     

    LOL..typical ignorant AI responses.




    Says the thoroughly educational response from Dr. MagicJack

Sign In or Register to comment.