“The popular password manager 1Password has been criticised for allowing certain information about users to be available without logging in to the service,” James Titcomb reports for The Telegraph.
“Dale Myers, a software engineer at Microsoft, wrote that malicious actors could potentially gain access to 1Password users’ metadata, including the names and addresses of the websites, software and bank accounts they have access to,” Titcomb reports. “Users are only vulnerable, though, if another person is able to get hold of their keychain files, which 1Password urges its users to keep secure. Myers found several instances of people storing these files publicly on their websites, however.”
“While most people who use 1PasswordAnywhere will not have their keychain files publicly accessible, they could be available on a desktop version of Dropbox, so a person having access to the user’s computer may be able to access it,” Titcomb reports. “The potential vulnerability lies with a format called “Agile Keychain”. AgileBits, 1Password’s developer, offered an alternative to this format in 2012, introducing a new OPVault format which is more secure. Many users are still on the Agile Keychain format, though. Myers urged 1PasswordAnywhere users to switch to OPVault.”
Read more in the full article here.
Also of note: Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.
Why a strong password doesn’t help as much as a unique one – July 22, 2015
Major zero-day security flaws in both iOS and OS X allow theft of Keychain, app passwords – June 17, 2015
Many passwords are so bad they don’t even need to be hacked – January 20, 2015
The secret life of passwords – November 22, 2014
Apple’s iCloud is secure; weak passwords and gullible users are not – September 2, 2014