1Password makers AgileBits have promised to change one of the default file formats in the software in response to a blog post by Microsoft engineer Dale Myers, who revealed that an AgileKeychain file was displaying unencrypted metadata.
Associated with the software's 1PasswordAnywhere service — which allows remote access without having 1Password installed — the file contains the name and address of every stored item, which could potentially reveal large swaths of personal information such as visited sites, bank accounts, and purchased apps, Myers said. Worse, keychains hosted on websites are indexed by Google, which could make it easy to learn someone's personal details through an informed Web search.
In its defense, AgileBits insisted that AgileKeychain was still secure, and noted that the format dates back to 2008 when the company was concerned about speed and battery drain problems caused by encryption. It introduced a secure format called OPVault in December 2012, but chose not to automatically migrate everyone since the switch might cause compatibility problems with older versions of 1Password.
The company is already transitioning to making OPVault the default format, starting with the latest 1Password for Windows beta. Mac and iOS upgrades should happen "soon," AgileBits said, and the technology is eventually coming to Android. Only once all these changes happen will migration become automatic.
In the meantime, the company is offering instructions on how to use OPVault where possible. People who only use the 1Password iOS app, for instance, can choose to sync via iCloud.