1Password to change file formats after key file found to contain unencrypted data
1Password makers AgileBits have promised to change one of the default file formats in the software in response to a blog post by Microsoft engineer Dale Myers, who revealed that an AgileKeychain file was displaying unencrypted metadata.
Associated with the software's 1PasswordAnywhere service -- which allows remote access without having 1Password installed -- the file contains the name and address of every stored item, which could potentially reveal large swaths of personal information such as visited sites, bank accounts, and purchased apps, Myers said. Worse, keychains hosted on websites are indexed by Google, which could make it easy to learn someone's personal details through an informed Web search.
In its defense, AgileBits insisted that AgileKeychain was still secure, and noted that the format dates back to 2008 when the company was concerned about speed and battery drain problems caused by encryption. It introduced a secure format called OPVault in December 2012, but chose not to automatically migrate everyone since the switch might cause compatibility problems with older versions of 1Password.
The company is already transitioning to making OPVault the default format, starting with the latest 1Password for Windows beta. Mac and iOS upgrades should happen "soon," AgileBits said, and the technology is eventually coming to Android. Only once all these changes happen will migration become automatic.
In the meantime, the company is offering instructions on how to use OPVault where possible. People who only use the 1Password iOS app, for instance, can choose to sync via iCloud.
Associated with the software's 1PasswordAnywhere service -- which allows remote access without having 1Password installed -- the file contains the name and address of every stored item, which could potentially reveal large swaths of personal information such as visited sites, bank accounts, and purchased apps, Myers said. Worse, keychains hosted on websites are indexed by Google, which could make it easy to learn someone's personal details through an informed Web search.
In its defense, AgileBits insisted that AgileKeychain was still secure, and noted that the format dates back to 2008 when the company was concerned about speed and battery drain problems caused by encryption. It introduced a secure format called OPVault in December 2012, but chose not to automatically migrate everyone since the switch might cause compatibility problems with older versions of 1Password.
The company is already transitioning to making OPVault the default format, starting with the latest 1Password for Windows beta. Mac and iOS upgrades should happen "soon," AgileBits said, and the technology is eventually coming to Android. Only once all these changes happen will migration become automatic.
In the meantime, the company is offering instructions on how to use OPVault where possible. People who only use the 1Password iOS app, for instance, can choose to sync via iCloud.
Comments
WTF.
This is ridiculous. All trust lost.
Seriously. As a security-related company you need to have one guiding principal be highest priority: keep information secure. If you sacrifice that for anything else, you're dead in the water.
But it is a "splendid" idea from a M$ employee to brag about such informations without contacting the software maker first. It means that displaying his find was more important than the security of the few remaining users that uses winsux mobile. Perhaps should 1password simply pull that app from M$ store.
Didn't use the Anywhere service, but this is a bit concerning; 1Password is a crucial application for me and many others, and if anyone had access to that data they could do major damage. I'm not going to reactively crucify them for issues with a legacy format for a service that I didn't use, but they need to make a good response to this, and quickly.
WTF.
This is ridiculous. All trust lost.
According to Wikipedia, Apple is the exact same. Guess it's Windows for you.
https://en.wikipedia.org/wiki/Keychain_(software)
Apple's documentation supports this
https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/keychainServConcepts.pdf
I've been seriously considering 1Password's service to better manage passwords. Apple's method has a lot to be desired.
I'll keep an eye on it, but I'm holding off for now.
It's absurd that a security company even remotely considered (at one time) having unencrypted data. Just ridiculous. They burned the trust for a lot of people.
What's your take on this Solips? I know you're a big fan of the service.
I'm not going to reactively crucify them for issues with a legacy format for a service that I didn't use
If you read the blog post, it looks like they're still using the insecure format as default if you set it up on OS X:
So it's not really as legacy as they're leading people to believe.
Solips will provide a much better answer than I possibly could and he uses the app in more depth, I believe, but I have used it virtually since its introduction and I will not change at this point. I don't use the service in question either and yes, it should not have happened, but the app is awesome, they will fix this very quickly their livelihood depends on it. I'll be following wiser people's lead but I won't be din't no knee jerking yet.
According to Wikipedia, Apple is the exact same. Guess it's Windows for you.
https://en.wikipedia.org/wiki/Keychain_(software)
Apple's documentation supports this
https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/keychainServConcepts.pdf
Nice attempt to spin this. You should read the full blog post first to understand the worst part about the information being leaked:
https://example.com/loginthen that is stored with the keychain entry. In 99% of cases this isn’t an issue. It’s the 1% of cases which are a concern. Developers aren’t perfect. We make bad decisions and sometimes dangerous ones. Recently I signed up with a large ISP in the UK and had to reset my password due to a bug on their system. I was sent an email with a reset link in the email. I click the link, enter a new password, and press submit. At this point two things happen. The first is that my password is reset. The second is that 1Password prompts to save my credentials. Since I used an auto-generated password and I like to keep my passwords secure, I click save. Now my new password is stored in my keychain. What if my ISP made a mistake with that email link though? Maybe they made the mistake that is all too common… So I go back to my email and click the password reset link again. Sure enough, I get prompted with a screen where I can reset my password again. They didn’t check to see if I had already used the link. And now that link is stored in my 1Password metadata, publicly accessible. Anyone can go and paste this link into their browser and they have full access to my account. Presumably I don’t need to explain any more about how that is a huge issue?The password for your Keychain can only be changed from an authorized device (not a publicly accessible URL).
Nice attempt to spin this. You should read the full blog post first to understand the worst about the information being leaked:
The password for your Keychain can only be changed from an authorized device (not a publicly accessible URL).
You completely missed the point. Read the original blog post again.
The concern is that the password reset link, for say, randomecommercesite.com, can be accidentally saved and used a second time. Keychain can do the same. It has nothing to do with changing your keychain password. Read the original blog post again. Apple is identical in the handling of website addresses... unencrypted.
Make sure you have your own understanding correct before accusing others of spin.
I've been seriously considering 1Password's service to better manage passwords. Apple's method has a lot to be desired.
I'll keep an eye on it, but I'm holding off for now.
It's absurd that a security company even remotely considered (at one time) having unencrypted data. Just ridiculous. They burned the trust for a lot of people.
What's your take on this Solips? I know you're a big fan of the service.
I have noticed this long time ago when I inspected the AgileKeychain files. You can only see the name of the item and the website address. This is why I have my 1Password vault in private Dropbox folder. I also have all my questions saved as passwords just in case. However, this is something they should address. If someone bought the latest version of the software then they should have the latest security feature and not be held back by legacy crap.
You completely missed the point. Read the original blog post again.
The concern is that the password reset link can be accidentally saved and used a second time. Keychain can do the same. It has nothing to do with changing your keychain password. Read the original blog post again. Apple is identical in the handling of website addresses... unencrypted.
Make sure you have your own understanding correct before accusing others of spin.
If you can tell me how I can change my Keychain password with a URL, I'll rescind my comment. It's simply not possible afaict.
And yes, I understand that other URLs used for password changes might be stored in there, so that's a concern. But the Keychain password itself cannot be compromised this way.
If you can tell me how I can change my Keychain password with a URL, I'll rescind my comment. It's simply not possible afaict.
Read the blog post. It's NOT your keychain password. The concern is with third party sites with reusable password reset links. I believe Safari encrypts history to protect on this, but I'm not on a Mac right now to check.
If you can tell me how I can change my Keychain password with a URL, I'll rescind my comment. It's simply not possible afaict.
Who said it could? Not sure what you're reacting to here.
Read the blog post. It's NOT your keychain password. The concern is with third party sites with reusable password reset links. I believe Safari encrypts history to protect on this, but I'm not on a Mac right now to check.
ok, I'll put my time where my mouth is and test this out: I'll reset a password for a website I use, store it in my Keychain, and check to see if there's anything in the Keychain data which could expose this. Given that no one has reported it as an issue (especially in light of this article), I'd be very surprised if there is. But obviously one can't be certain without checking themselves.
LOL..typical ignorant AI responses.
-kpluck
Read the blog post. It's NOT your keychain password. The concern is with third party sites with reusable password reset links. I believe Safari encrypts history to protect on this, but I'm not on a Mac right now to check.
Shouldn't the password reset link expire after short period of time making the link useless?
Who said it could? Not sure what you're reacting to here.
I misinterpreted the original article and thought that you could change the 1PasswordAnywhere database password using a reusable URL. In which case, if someone was able to reuse that URL via discovering it in the unencrypted metadata, they'd have access to your entire 1Password account.
This would be akin to being able to change your Keychain password using a URL (which you can't) and it exposing that same data.
However, I now see that the blog post was talking about changing passwords for other websites.
LOL..typical ignorant AI responses.
Says the thoroughly educational response from Dr. MagicJack