1Password found to store Account Metadata in plaintext, but your Passwords are encrypted
If you are a user who prefers to use a password manager app or service, chances are you might have heard about 1Password.
Well if you are a 1Password user, you may not like this. AgileBit’s password manager service has been found to store the user’s Account Metadata in plaintext format, in its 1PasswordAnywhere feature.
The discovery was made by a Microsoft Engineer, Dale Myers. He details about the issue at his blog, and mentions that the .agilekeychain file, which contains the password database of the user, houses a directory of files. One of these files, contains the Metadata of every single item in the 1Password database, and in plain text, i.e., it is unencrypted. And the scenario in which he tested this involved storing the keychain file on Dropbox
So, anyone with access to that particular file, will be able to get the information regarding which websites and services you have stored the info for, including Bank websites. So that puts the user’s privacy at risk.
The more important, (read worst part) in this issue, is that the Metadata also stores the login information of some accounts in the URL of the web-service itself. So in case there is a URL with a “reset password’ info saved in it, and by using this crucial link, an attacker could easily reset a password, providing the attacker manages to get hold of the keychain file in the first place.
Should you worry about this?
Technically, unless you have an old account on 1Password, which uses their legacy encryption system called the Agile Keychain format, you needn’t worry.
Let me explain why, that format has been superseded by a more modern one called, OPVault. Softpedia reports that OPVault does not support 1PasswordAnywhere, and that is absolutely not affected at all.
An AgileBit employee confirmed the issue about 1Password storing the user’s Account Metadata in plaintext format. Apparently it was done on purpose, to make it performance friendly on user’s systems, something which may have been affected if the data had been encrypted. OPVault on the other hand, is the safer format, and the company recommends all users to use/switch to it. So if you are using the newer database system, you should be fine.
Interestingly, I observed that when you install the app and click on create a new 1Password Vault, it does indeed use the Agilebit keychain by default, and not the more secure OPVault.
While the news certainly may be a bit disheartening, the important thing here is that though the Account Metadata is in plaintext format, your Passwords are still encrypted, and hence safe.
On a side note, we came across a similar issue of user account info being displayed in Plaintext by several of Microsoft’s websites.