Agilebits has announced that it plans to switch its default 1Password app’s file format in response to concerns raised by Microsoft software engineer Dale Myers. Myers examined the 1PasswordAnywhere’s .agilekeychain file recently and found that its metadata isn’t encrypted.
That means the sites you use with the password aggregator and even their precise login locations are stored in plain text. 1PasswordAnywhere is the program’s feature that gives you a way to access your saved passwords without having to install the software itself.
Myers says if anyone got access to the file, they’d be able to tell which sites you belong to, where your bank accounts are, and which software licenses you own. Te bad guys could then use other tactics to reset passwords, or call banks to gain access to your accounts.
In addition, Google indexes the keychains people put on their websites for easy access; Myers was able to discover someone’s job and family details just by doing a simple search based on his keychain.
Agilebits explains that 1Password’s “password anywhere” feature automatically stores data using an older Agile Keychain format. The team explained that the format was introduced in 2008, and the decision was made not to encrypt its metadata to avoid performance issues.
The company now uses a newer and safer format called OPVault, and that’s the format they’ll use for the file going forward.
Users wishing to give up the 1PasswordAnywhere feature in favor of added security can follow the instructions found here to migrate their logins. However, the process will soon be easier to perform, as once OPVault is the default, there will be a simple migration tool provided for making the switch.
