AgileBits details potential privacy issue with 1Password


Back in 2008, we introduced the AgileKeychain as a way to help our users better synchronize data across platforms and devices. At this time, 1Password had significantly less processing power to draw from for tasks like decryption, and doing something as simple as a login search would cause massive performance issues and battery drain for our users. Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks).

Essentially, if you look into the 1Password vault bundle, you'll find a data file containing the URLs of your web logins. This information is in plain text, although the actual login credentials are encrypted. This means someone could discover the websites where you have accounts without unlocking 1Password. Depending on those sites, this could pose as a potential privacy issue. I suppose too it could tip someone off where you may do banking, for example.

To view this information they could gain access the 1Password vault, either via local storage on a computer or the cloud from your Dropbox or iCloud account.

AgileBits notes that a new system is in place called OPVault to remedy this issue. The company said it has been planning on offering a migration path, but has been reluctant to make the switch since older installations of 1Password may be affected.

Agile Bits says that if customers want to switch over,manually they provide instructions on their blog (linked above). I went through the steps and it's simply enough. Basically you need to quit the app, run a command in Terminal, and then reset the sync. You'll then have to reset the sync on all connected devices once the vault had been changed.