I'm sure many of us are using the iOS app and Mac app. Just make sure you sync through iCloud and this is a non-issue. If you are syncing through Dropbox, you can change to iCloud and delete your Dropbox sync files. This really is blown way out of proportion. The MS guy who started this is still using 1Password. That should say something.
That's assuming every device you want to access your 1Password data from supports iCloud (and you want to sync it to the device). The whole reason why people are putting their 1Password database in publicly accessible places is because they want to be able to use it from anywhere (public computers, etc).
That's assuming every device you want to access your 1Password data from supports iCloud (and you want to sync it to the device). The whole reason why people are putting their 1Password database in publicly accessible places is because they want to be able to use it from anywhere (public computers, etc).
I was talking about those of us who use the iOS and Mac apps. Both are iCloud compatible. I can access that from anywhere with the Internet. No need to make it publicly accessible.
Shouldn't the password reset link expire after short period of time making the link useless?
It should. In fact, it should expire after a single use. The point is that many websites don't have their security strategy totally figured out, so we can't take things like this for granted.
Why would Dropbox be any more of an issue then iCloud? It's also encrypted and not indexed in Google or anywhere? You can also enable 2 factor authentication which would render any password restet link mute
I was talking about those of us who use the iOS and Mac apps. Both are iCloud compatible. I can access that from anywhere with the Internet. No need to make it publicly accessible.
Consider the situation where someone needs to use a shared PC that's set up with a projector in a meeting room and they find they have to log in to a website to get some information to share with the group (and it's not handy on their phone or they're getting bad reception). These are the types of situations where someone might try to take a shortcut and just have a publicly accessible link to their 1PasswordAnywhere database.
I actually did something similar for years (prior to 1Password and similar solutions) with a PGP encrypted plain text file.
Yes, I edited to include bad cell reception since I realize everyone here has an iPhone (which isn't always the case in the real world).
You don't need to have internet service to access your 1Passwords using the iOS app. The data is stored locally and synced to reflect the latest changes when there is internet service. So unless you changed your Dropbox password the moment you lost your reception, you can still get your Dropbox password in that meeting with no cell service. Regardless of the situation, you should never make any file that contains your passwords (encrypted or not) available publicly.
Seriously. As a security-related company you need to have one guiding principal be highest priority: keep information secure. If you sacrifice that for anything else, you're dead in the water.
Hi,
It might be new for most users. But file format of 1password was public documented. So everyone could read it, and could have complained about it. I had readed it and it was/is ok for me. But sure I was waiting for new fileformat in dropbox sync for a time now. But it isn't on my prio list, so I dont even ask agilebits for it.
While a concern, I don't use 1PW Anywhere or post links to my keychain on public sites, which is a stupid practice anyway. I've used 1PW since v1 in Beta and Dave Teare and Agilebits have always been very candid about vulnerabilities and open about security strategy. That's how they're responding to this incident too and for that they should be commended. Knowing Dave I predict a migration from the older format to OP Vault in short order for OS X. I understand Android will take a bit longer. I will wait rather than trying to fix it through Terminal.
If you have a keychain file on your computer that you use to sync your 1Password data, then it will end in either ".agilekeychain" or ".opvault".
Here are two that I have in my Dropbox folder:
The ".agilekeychain" file is the old format. The ".opvault" file is the new format.
Note that if you are using 1Password 4 or higher for Mac or iOS and you are not syncing your data (or if you're using iCloud), then this situation does not affect you at all.
While a concern, I don't use 1PW Anywhere or post links to my keychain on public sites, which is a stupid practice anyway. I've used 1PW since v1 in Beta and Dave Teare and Agilebits have always been very candid about vulnerabilities and open about security strategy. That's how they're responding to this incident too and for that they should be commended. Knowing Dave I predict a migration from the older format to OP Vault in short order for OS X. I understand Android will take a bit longer. I will wait rather than trying to fix it through Terminal.
I too have been using 1Password since the beta. Dave and Co. have been very straightforward about this specific issue since they changed from using Apple's keychain format to the .agilekeychain format back in 2008.
YES, this issue has been publicly known since 2008. I find the most amusing part of this teacup tornado to be the fact that it was a MS engineer just now discovering it.
Now for the obligatory questioning of the motives of the various commenters on this site:
Do you even use 1Password? If not, why are you even commenting?
If you do, why didn't you do your due diligence before you bought 1Password?
You don't need to have internet service to access your 1Passwords using the iOS app. The data is stored locally and synced to reflect the latest changes when there is internet service. So unless you changed your Dropbox password the moment you lost your reception, you can still get your Dropbox password in that meeting with no cell service.
And I'm fairly certain you could do all of this ever since the inception of 1Password in June 2006.
Quote:
Regardless of the situation, you should never make any file that contains your passwords (encrypted or not) available publicly.
Agreed (that PGP encrypted text file I had with my passwords for years was only accessible via SSH). But the fact is, people will always try to find ways to make things as easy as possible for themselves without understanding the implications. It's the job of technology designers (especially in the field of security) to do as much as possible to protect people from themselves.
btw, I checked the information OS X Keychain exposes and I see the unencrypted URLs (at least in the login keychain). However, it only stores the base domain name with a password, not the full URL you used when setting/changing the password. If it's the same for the 1Password AgileKeychain, then I'll admit this issue isn't as big a deal as I initially thought.
There's no way to spin this. This company wants to manage all your passwords. There should be no security weak links that 1Password knew about beforehand, and this is a weak link. I know that all software has bugs -- this issue here is that the company continued to use a format they knew had security issues. I'm going to rethink whether I want to continue using this service, but that requires an alternative that I trust more.
There's no way to spin this. This company wants to manage all your passwords. There should be no security weak links that 1Password knew about beforehand, and this is a weak link. I know that all software has bugs -- this issue here is that the company continued to use a format they knew had security issues. I'm going to rethink whether I want to continue using this service, but that requires an alternative that I trust more.
They were open about it and never tried to hide it. Did you use a security software without understanding what it does and does not?
I'm sure many of us are using the iOS app and Mac app. Just make sure you sync through iCloud and this is a non-issue. If you are syncing through Dropbox, you can change to iCloud and delete your Dropbox sync files. This really is blown way out of proportion. The MS guy who started this is still using 1Password. That should say something.
Yeah, it says don't do what Microsoft people do.
1Password has always been a redundant third-party app. Just another in a long line of up-sell productivity garbage. The root of the problem is an individual's initial attraction to clunky stuff like this.
Unsubscribe, uninstall and use iCloud. And for those edge cases when iCloud won't work for whatever you're doing, that's your warning signal that it's time to rethink your life.
They were open about it and never tried to hide it. Did you use a security software without understanding what it does and does not?
Maybe I wasn't as diligent as I should have been, but this story isn't about my personal habits; it's about 1Password's security choices. I have a limited amount of time, and based on the reputation of the people who make 1Password, I felt pretty confident that they would make good choices. I think this is a bad choice, and I feel less confident in their security.
Comments
I'm sure many of us are using the iOS app and Mac app. Just make sure you sync through iCloud and this is a non-issue. If you are syncing through Dropbox, you can change to iCloud and delete your Dropbox sync files. This really is blown way out of proportion. The MS guy who started this is still using 1Password. That should say something.
That's assuming every device you want to access your 1Password data from supports iCloud (and you want to sync it to the device). The whole reason why people are putting their 1Password database in publicly accessible places is because they want to be able to use it from anywhere (public computers, etc).
I was talking about those of us who use the iOS and Mac apps. Both are iCloud compatible. I can access that from anywhere with the Internet. No need to make it publicly accessible.
It should. In fact, it should expire after a single use. The point is that many websites don't have their security strategy totally figured out, so we can't take things like this for granted.
I was talking about those of us who use the iOS and Mac apps. Both are iCloud compatible. I can access that from anywhere with the Internet. No need to make it publicly accessible.
Consider the situation where someone needs to use a shared PC that's set up with a projector in a meeting room and they find they have to log in to a website to get some information to share with the group (and it's not handy on their phone or they're getting bad reception). These are the types of situations where someone might try to take a shortcut and just have a publicly accessible link to their 1PasswordAnywhere database.
I actually did something similar for years (prior to 1Password and similar solutions) with a PGP encrypted plain text file.
That's why I open 1Password on my iPhone to view the needed password and type it where needed.
That's why I open 1Password on my iPhone to view the needed password and type it where needed.
Yes, I edited to include bad cell reception since I realize everyone here has an iPhone (which isn't always the case in the real world).
Yes, I edited to include bad cell reception since I realize everyone here has an iPhone (which isn't always the case in the real world).
You don't need to have internet service to access your 1Passwords using the iOS app. The data is stored locally and synced to reflect the latest changes when there is internet service. So unless you changed your Dropbox password the moment you lost your reception, you can still get your Dropbox password in that meeting with no cell service. Regardless of the situation, you should never make any file that contains your passwords (encrypted or not) available publicly.
I don't need the internet to retrieve a password on my phone. Again, this issue is way overblown.
*Hugs His Keepass and Keepass X clients*
Hi,
It might be new for most users. But file format of 1password was public documented. So everyone could read it, and could have complained about it. I had readed it and it was/is ok for me. But sure I was waiting for new fileformat in dropbox sync for a time now. But it isn't on my prio list, so I dont even ask agilebits for it.
Delorean
While a concern, I don't use 1PW Anywhere or post links to my keychain on public sites, which is a stupid practice anyway. I've used 1PW since v1 in Beta and Dave Teare and Agilebits have always been very candid about vulnerabilities and open about security strategy. That's how they're responding to this incident too and for that they should be commended. Knowing Dave I predict a migration from the older format to OP Vault in short order for OS X. I understand Android will take a bit longer. I will wait rather than trying to fix it through Terminal.
How do I know what kind of keychain is in use?
Hi, Planetary Paul.
If you have a keychain file on your computer that you use to sync your 1Password data, then it will end in either ".agilekeychain" or ".opvault".
Here are two that I have in my Dropbox folder:
The ".agilekeychain" file is the old format. The ".opvault" file is the new format.
Note that if you are using 1Password 4 or higher for Mac or iOS and you are not syncing your data (or if you're using iCloud), then this situation does not affect you at all.
Rob Yoder
Web Developer @ AgileBits
While a concern, I don't use 1PW Anywhere or post links to my keychain on public sites, which is a stupid practice anyway. I've used 1PW since v1 in Beta and Dave Teare and Agilebits have always been very candid about vulnerabilities and open about security strategy. That's how they're responding to this incident too and for that they should be commended. Knowing Dave I predict a migration from the older format to OP Vault in short order for OS X. I understand Android will take a bit longer. I will wait rather than trying to fix it through Terminal.
I too have been using 1Password since the beta. Dave and Co. have been very straightforward about this specific issue since they changed from using Apple's keychain format to the .agilekeychain format back in 2008.
YES, this issue has been publicly known since 2008. I find the most amusing part of this teacup tornado to be the fact that it was a MS engineer just now discovering it.
Now for the obligatory questioning of the motives of the various commenters on this site:
Do you even use 1Password? If not, why are you even commenting?
If you do, why didn't you do your due diligence before you bought 1Password?
You don't need to have internet service to access your 1Passwords using the iOS app. The data is stored locally and synced to reflect the latest changes when there is internet service. So unless you changed your Dropbox password the moment you lost your reception, you can still get your Dropbox password in that meeting with no cell service.
And I'm fairly certain you could do all of this ever since the inception of 1Password in June 2006.
Agreed (that PGP encrypted text file I had with my passwords for years was only accessible via SSH). But the fact is, people will always try to find ways to make things as easy as possible for themselves without understanding the implications. It's the job of technology designers (especially in the field of security) to do as much as possible to protect people from themselves.
btw, I checked the information OS X Keychain exposes and I see the unencrypted URLs (at least in the login keychain). However, it only stores the base domain name with a password, not the full URL you used when setting/changing the password. If it's the same for the 1Password AgileKeychain, then I'll admit this issue isn't as big a deal as I initially thought.
There's no way to spin this. This company wants to manage all your passwords. There should be no security weak links that 1Password knew about beforehand, and this is a weak link. I know that all software has bugs -- this issue here is that the company continued to use a format they knew had security issues. I'm going to rethink whether I want to continue using this service, but that requires an alternative that I trust more.
They were open about it and never tried to hide it. Did you use a security software without understanding what it does and does not?
Yeah, it says don't do what Microsoft people do.
1Password has always been a redundant third-party app. Just another in a long line of up-sell productivity garbage. The root of the problem is an individual's initial attraction to clunky stuff like this.
Unsubscribe, uninstall and use iCloud. And for those edge cases when iCloud won't work for whatever you're doing, that's your warning signal that it's time to rethink your life.
They were open about it and never tried to hide it. Did you use a security software without understanding what it does and does not?
Maybe I wasn't as diligent as I should have been, but this story isn't about my personal habits; it's about 1Password's security choices. I have a limited amount of time, and based on the reputation of the people who make 1Password, I felt pretty confident that they would make good choices. I think this is a bad choice, and I feel less confident in their security.