I felt pretty confident that they would make good choices. I think this is a bad choice, and I feel less confident in their security.
I'm sorry for the confusion. Security choices are many times based on opinion, and this one was just that. We did not feel that storing an item's title and URL unencrypted was a bad security choice, or we would never have done it. Indeed, browser bookmarks and history contain just that information, and if your desktop user account is open, even the browser's saved passwords are readily available. However, as a security app which many people trust to keep their information secure, we decided it was probably best to create a new sync format that did encrypt both the title and URL of every item.
There were two drawbacks to making that new format the default, though. The one that has been most often mentioned is compatibility with older versions. However, that was not the only reason. The other is that many, many people rely on accessing 1PasswordAnywhere from their Dropbox account on the web or elsewhere, like on a USB drive, whether or not they use older versions of the app, and that feature is not available with the new format. We explained that the new format is more efficient and more secure, but 1PasswordAnywhere was more important to them.
Their opinion was that our choice to keep 1PasswordAnywhere around was a good one, despite the fact that the title and URL of items were not encrypted. Your opinion is the opposite. Both are valuable. Since iCloud did not provide a method of accessing synced files from anywhere (and thus 1PasswordAnywhere was out of the question), it was the perfect opportunity to use the new sync format, OPVault. Indeed, any user syncing with iCloud has been using that format.
On the other hand, a very large number of users who sync with Dropbox do so in order to access 1PasswordAnywhere. Of course, we never suggested hosting your 1Password.html file (1PasswordAnywhere) on your own website where it could be indexed by Google and accessed by the general population. When it is synced with Dropbox, it is still behind an additional wall of authentication.
However, as has also been mentioned, it is definitely past time to make OPVault the default, and so we are doing just that. We still believe the AgileKeychain format is secure, but it is not as secure as many people would like, and that is important.
I'm sorry that this situation has caused you to lose confidence in our security measures. Please know that, as has been mentioned by some others, we are completely open about how we store and transmit data, and any questions you have we are happy to answer! This goes for each of the commenters here. If you haven't read our blog post on the subject, you may be interested to do that as well.
Web Developer @ AgileBits
Thanks. In the mean time I found out that as I use iCloud syncing I use .opvault and thus have none of these issues.
Wow, what are you really angry about?
People are using DropBox for secure files and an unencrypted URL is where they are worried?? Maybe the people with a real concern should be looking at their use of DropBox as the first security and privacy issue.
Thank you so much for taking the time to respond. I do feel a good deal of confidence that you guys and gals know what you're doing, and I understand the importance of convenience and why you might make the choice you made.
I feel strongly that the default should be the maximum security that the app can offer, and if someone wants to gets their passwords in a less secure manner, they should be informed of the security compromises they are making. Personally, I only access my passwords through the 1Password apps (both of which I happily paid full price to use) because I want to be more secure. The default for me should have been maximum security rather than using the old format because I set it up on Mac OS X.
That said, right now, I don't trust anyone else more, so I'll probably continue to use your service until/unless I find a more secure option.
Thank you for your understanding!
The default for me should have been maximum security rather than using the old format because I set it up on Mac OS X.
You are absolutely right. We shouldn't have put this off so long, but we have just released a beta version of 1Password for Mac that does just that. https://app-updates.agilebits.com/product_history/OPM4 -- click on "Show betas" there to see and download the latest beta.
I'm not angry. I say these things with love, tough and kinda sticky love.
Well you're wrong. 1Password has not always been redundant, not by a long shot. For a long time it was far more secure and functional than the standard OS X keychain, and it offered a way to sync password information long before iCloud solution. And even now it is more secure (this current news item notwithstanding), accessible, and flexible than the iCloud solution. Have no idea what you're talking about with the taste comment, have you seen Apple's Keychain Access app?
Thanks for your love and concern, but I'll carry on using it thanks.