TLDR: “1Password leaks your data”

Dale Myers is concerned:

For those of you who don’t know, 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software. (…) The file that had issues was 1Password.agilekeychain/data/default/contents.js. Being a curious kind of guy I opened the file to see what was in there. The answer is the name and address of every item that I have in 1Password. Every single one. In plain text.

AgileBits isn’t:

Back in 2008, we introduced the AgileKeychain as a way to help our users better synchronize data across platforms and devices. At this time, 1Password had significantly less processing power to draw from for tasks like decryption, and doing something as simple as a login search would cause massive performance issues and battery drain for our users. Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks).

I looked at the file in question and indeed, just as Dale pointed out, everything is there. I’m also concerned by the justification of AgileBits, they certainly don’t seem to care deeply about this. Mind you, both parties acknowledge that a new storage format, called OPVault that is supposed to resolve this, will be enabled by default. The reason they hadn’t done so is because of some backwards compatibility (srsly?).

On the Mac you can terminal-magic yourself into the future, but be sure to backup your data first. Dale’s post will definitely push AgileBits to do this more quickly, so I’ll wait until the official migration is out.

The whole thing made me realize that 1Password is a black box at this point. Should they migration fail with my database, I won’t really be able to get my data out of their encrypted files, my only option seems to be reverting to an earlier backup hoping they’ll be able to read that. Now I need to figure out how to back up my data so that I can read it at my own leisure.