AgileBits will beef up security for 1Password after a Microsoft software engineer expressed concern with the company's existing system.

1Password uses an encryption format, AgileKeychain, that makes it easier for password data to be synced between devices. But as Dale Myers pointed out, anyone with some technical know-how and the ability to access certain files can see a person's credentials in plain text.

"If you browse to your .agilekeychain 'file' on disk, you find that it is actually a directory," Myers wrote. "Inside this directory is a file named '1Password.html,'" he wrote. "If you access this file over HTTP (note that using the file protocol won't work), you will be greeted with a grey page which has a lock image and a password field. Enter your password and your keychain will unlock and you have a read only view of your data."

Myers dug into the issue further and found that in addition to login credentials, 1Password stores the location in which a username and password would be entered. He argues that a malicious hacker who knew the 1Password Master Password could easily find account credentials, log in, and "have full access to my account."

For its part, AgileBits did not shy away from the issue. In a blog post, the company said its decision to use AgileKeychain dates back to 2008, at a time when "1Password had significantly less processing power to draw from for tasks like decryption."

"Doing something as simple as a login search would cause massive performance issues and battery drain for our users," AgileBits said. "Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks)."

In 2012, it introduced OPVault, a "stronger data format," but opted for a slow rollout due to worries over compatibility with older versions of its software.

"Despite the security of AgileKeychain remaining intact, Dale reminded us that its time to move on," AgileBits wrote. "The OPVault format is really great in so many ways and we should start sharing it with as many users as possible."

AgileBits plans to make OPVault as the default format, and the latest beta of 1Password for Windows does this already. "Similar changes are coming to Mac and iOS soon, and we're planning on using the new format in Android in the future," the company said.

In the meantime, users who would like to get OPVault up and running can do so by following certain procedures outlined in the AgileBits blog post.

Further Reading

Security Reviews