In Defense of 1Password

Dale Myers made a splash last week with an article explaining that 1Password had a flaw causing it to leak the URLs that are stored in the default .agilekeychain format. A lot of people have reacted by freaking out and either switching to the newer OPVault file format, or leaving the app all together. My approach is a different one. I am going to relax and wait for the Agile developers to solve this issue. I still absolutely trust 1Password with my data.

To be clear, I am not saying what happened here was not a mistake, nor that 1Password should not fix it. They absolutely should. No app should leak data, and this is even more true of a security app like this.

But here’s the thing, the data 1Password is leaking is not very personal, it is not easy to get, and it is more or less useless without the data that 1Password is still protecting well. From Dale’s article there are three major issues with the data leak.

Issue one is the leaked data may contain URLs that are sensitive. Of course the example is a porn site, which seems to be the big, scary login that everyone is afraid of other people knowing they have. Personally I would much rather see a porn URL than a login for the NRA, but I guess that is just me.[1] But point taken, this is probably the biggest concern since it’s hard to predict how this kind of data leakage could be used nefariously.

But I am not too worried about this since in order to get to this file you would already have to compromise my Dropbox account. Not impossible, but with a strong password and two factor enabled I am not overly concerned about this. It’s a lot of work to go through to get questionably useful data. I would be concerned about a lot more in my Dropbox account than this.

Issue two is that the URLs themselves could potentially be dangerous. The way 1Password works is it stores the address you use the first time you login to a site. Fine if you log in through the normal login URL, but what if you end up storing a password reset URL? This is the kind you get in your email when you click the Forgot Password link. It turns out that some of these URLs continue to work long after they are have been used.

This is a huge problem, but is it not really 1Password’s problem. The web developers responsible for these sites are the ones who should be freaking out over this issue. A password reset URL must only work once, and only be valid for a short period of time. Anything else is a huge vulnerability. Yes, having one of these poorly managed addresses leak from 1Password is a problem, but these things are in email, which is just as likely to be compromised. I will, however, be going through my 1Password data and changing any of these URLs that may have snuck past me to just the base login URL.

Problem three is that this information may be available in Google. This is obviously extremely bad, but in order for this to happen the users would really have had to have done something silly. Specifically, you would need to have shared your 1Password data as a publicly available file in your Dropbox account.

This is not default behavior. Do not do this. You don’t have to share your 1Password file to sync it. 1Password for all platforms will allow you to authenticate that instance of the app to grab the data. This will not expose it to anything else other than the 1Password app. You should never, ever share files in your Dropbox publicly unless that is the specific purpose of the file.

The immediate answer to solve all these issues is to switch to the OPVault format. This is a new format Agile has created to succeed the agilekeychain file. You can do it now, but 1Password will be updated soon with an automatic migration tool. I intend to just wait for that rather than go through the trouble of enabling it now via command line. Why potentially mess up my sync data for an issue that is very unlikely to be a problem for me in the near future?

In summary, this was an error that 1Password made, yes. And it needs to be fixed. Data leakage is bad. But the main purpose of 1Password, storing your passwords securely, remains intact. I agree with Dale, I will continue to use this software. I still feel safe and secure keeping my passwords there. Every other alternative is weaker.[2]

  1. See my piece on Coming Out as Sex Positive for more on this. I don’t find consumption of legal, sex positive porn to be anything to be ashamed of.  ↩
  2. I guess there is LastPass, but I do not trust LogMeIn at all. And they now own it.  ↩
In Defense of 1Password was last updated March 31st, 2016 by Michael Truskowski