Password manager 1Password criticised for leaking users’ bookmarks

“The popular password manager 1Password has been criticised for allowing certain information about users to be available without logging in to the service,” James Titcomb reports for The Telegraph.

“Dale Myers, a software engineer at Microsoft, wrote that malicious actors could potentially gain access to 1Password users’ metadata, including the names and addresses of the websites, software and bank accounts they have access to,” Titcomb reports. “Users are only vulnerable, though, if another person is able to get hold of their keychain files, which 1Password urges its users to keep secure. Myers found several instances of people storing these files publicly on their websites, however.”

“While most people who use 1PasswordAnywhere will not have their keychain files publicly accessible, they could be available on a desktop version of Dropbox, so a person having access to the user’s computer may be able to access it,” Titcomb reports. “The potential vulnerability lies with a format called “Agile Keychain”. AgileBits, 1Password’s developer, offered an alternative to this format in 2012, introducing a new OPVault format which is more secure. Many users are still on the Agile Keychain format, though. Myers urged 1PasswordAnywhere users to switch to OPVault.”

Read more in the full article here.

MacDailyNews Take: Use unique, strong passwords. We use Apple’s Keychain Access and iCloud Keychain to create and manage passwords. When used properly, this system works like a dream.

Also of note: Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.

SEE ALSO:
Why a strong password doesn’t help as much as a unique one – July 22, 2015
Major zero-day security flaws in both iOS and OS X allow theft of Keychain, app passwords – June 17, 2015
Many passwords are so bad they don’t even need to be hacked – January 20, 2015
The secret life of passwords – November 22, 2014
Apple’s iCloud is secure; weak passwords and gullible users are not – September 2, 2014

9 Comments

  1. Now only if the keychain was extended to work with apps. This is what makes the random, gobbly goop passwords unusable. C’mon Apple, step up and make keychain better!

    PS Does anybody REALLY KNOW who actually owns these third party password managers like 1Password and others? How do I really know whether my personal information isn’t really going to a 4-star General? People should think about blindly spilling their guts to a third party.

  2. I use a different password for every website and account, and do not use any kind of password repository. Instead I memorise them. Sure I forget some of ’em, but no sweat. For example if the strap comes off the Hello Kitty handbag I bought from their online store, and I can’t log in to return it, there’s a button to reset the password securely. Using different email addresses for different sites is another good idea (but stay away from Gmail)

  3. Is this a problem only on Windows systems only?

    I am not seeing anything they are talking about. Agile strongly encouraged all of us to switch to Apples’s keychain, more than a year ago. (They even nagged us to do it) If you setup a new install, there are no choices to use Agile’s keychain at all. It’s going to the Apple Keychain. (period – for emphasis)

    This must be a Windows problem. I won’t be able to tell until I get home and review the Windows edition.

    My initial response though, Mac OS X and iOS versions of 1Password are not impacted, unless you have been ignoring 1Password’s recommendation brought to our attention, at least two major versions ago.

    Slow news day?

    1. Yeah, I agree. And I have 2FA on Dropbox so I don’t even care on my Windows PC. Sounds like something to scare people who don’t understand how things work.

      And for those who don’t understand another part of this, 1Password does not ever see your data. They do not host anything, ever. You decide if you do or don’t want to sync to Dropbox, or other cloud services. You don’t need to do so. So, there is no ‘General’ seeing your data possible. (Software is made in Canada, BTW.)

      Unlike other password managers who I’d never trust.

      1. I guess these leaked bookmarks that “they can’t see” is everyone’s imagination. They can yap till the cows come home about their “security”. The bottom line is that if you spill your guts to third parties, you’re asking for it.

        PS. Canada isn’t so true north, strong, and FREE since secret service Harper took over. Hopefully he gets his ass kicked in today’s election. Don’t look for changes in legislation though that allows for a legal means of invading the privacy of political opponents.

  4. Long time 1 Password user on iOS and Mac OS X

    Agile Bits allows you to store/sync your data a number of ways as different people may want different setups. For those who wish to trust Apple’s iCloud, that is possible.

    Choice is good, but dangerous in the hands of the ignorant.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.