Password management is an important role for anyone that’s trying to stay secure while traversing the internet, and 1Password is one of the more popular instruments in that regard.
However, some recent information has come to light that has forced 1Password to make some changes and implement a feature that has apparently been waiting in the wings. In the end, though, AgileBits, the company behind the password management software, says that it will be beefing up its security and encryption endeavors after a Microsoft software engineer, Dale Myers, discovered that the metadata tied to “1PasswordAnywhere” (.agilekeychain) isn’t encrypted.
What this means, is that the stored information within the software, including precise locations for a login, along with the sites in general, are stored in plain text. As a refresher, 1PasswordAnywhere allows users to access their stored passwords, and use them on the sites they need them, without actually installing the software itself.
As far as the damage that can be done by a malicious person that discovers this plain text? Myers says that they could discover the software licenses you’ve purchased in the past, determine which sites you’ve signed up with, and even find out which bank accounts you have. At that point, it would be relatively easy to reset the password associated with those accounts, or even impersonate the user to their benefit.
Worse, Google indexes those pieces of login information, typically making it easier to access them, but Myers was able to simply use that information to discover the name of a random person, their job title, and even the names of their wife and children, all with just a simple search.
“But it gets worse. I decided to have a look and see just how bad things were. Thanks to people having links for easy access to their keychain on their websites, Google has indexed some of these. A simple search brings up results. By looking at one of these it was a simple matter to identify the owner of the keychain and where he lived. I know what his job is. I even know the names of his wife and children. If I was malicious, it would be easy to convince someone that I had compromised their account and had access to all of their credentials. Not to mention the fact that they have revealed their location online which may put their personal safety at risk.”
AgileBits, in their response to this discovery, outlined that the decision to go unencrypted with this software was made back in 2008, because encrypting metadata led to performance issues in devices back then. The company actually has an encrypted option, called OPVault, which has been waiting on the sidelines for a rollout to be the default feature because the company didn’t want to break compatibility with older versions of the software.
There is an option to give up 1PasswordAnywhere, though, and opt-in for OPVault ahead of a rollout planned for the future. AgileBits has put together a walkthrough for users that want to start using the extra security now, which you can find right here. For those that can wait, though, AgileBits will be launching a migration tool at some point in the future once OPVault becomes the default.
Do you use 1PasswordAnywhere?
No comments:
Post a Comment