When a Leak Isn’t a Leak

Over the weekend Dale Myers wrote a blog post that examined our .agilekeychain format. The post featured a good discussion and analysis of our older data format, but it raised some questions among 1Password users and the wider technology community.

Dale states that he plans to continue using 1Password and has no concerns over the safety of his passwords themselves, but his main concern was how the AgileKeychain handles item URLs. While we widely documented this design decision and shared it publicly, Dale was surprised to find out that we didn’t encrypt URLs within the keychain. We want to reassure users that rely on AgileKeychain that their password data is safe and secure, and take the time to walk through our data formats to explain the issue completely.

AgileKeychain & OPVault Data Formats

Back in 2008, we introduced the AgileKeychain as a way to help our users better synchronize data across platforms and devices. At this time, 1Password had significantly less processing power to draw from for tasks like decryption, and doing something as simple as a login search would cause massive performance issues and battery drain for our users. Given the constraints that we faced at the time, we decided not to encrypt item URLs and Titles (which resembled the same sorts of information that could be found in browser bookmarks).

In December 2012, we introduced a new format that encrypted much more of the metadata. OPVault, our newer and stronger data format, provided authenticated encryption as well as many other improvements for 1Password users.

This format worked well in situations where we didn’t need to worry about backwards compatibility, including iCloud and local storage on iOS and Mac. For Windows, Android, and Dropbox syncing, however, we needed to decide if we should migrate to the new format or provide compatibility with older versions of 1Password.

We decided to take a conservative approach and not automatically migrate everyone over to OPVault because many users depend upon older versions of 1Password and they wouldn’t be able to log into their accounts. We knew we could trust the security of the AgileKeychain to protect confidential user data so we didn’t want to rush into something that would disrupt people’s workflows.

Switching to OPVault

Despite the security of AgileKeychain remaining intact, Dale reminded us that its time to move on. The OPVault format is really great in so many ways and we should start sharing it with as many users as possible.

We’ve already started making changes to use OPVault as the default format. In fact, the latest beta of 1Password for Windows does this already. Similar changes are coming to Mac and iOS soon, and we’re planning on using the new format in Android in the future. Once all of these things are complete, we will add an automatic migration for all 1Password users. For users who would like to switch to OPVault sooner than this, here’s how you can get started immediately:

To avoid losing access to your data, be sure to back up your 1Password data beforehand, and only follow these instructions if you are NOT using any legacy versions of 1Password. If you have any questions or concerns, or would like to migrate but aren’t sure if your version of 1Password is affected, our knowledgebase, forums and support team are here to help.

107 replies
« Older Comments
  1. bOli
    bOli says:

    If I understand correctly, by using 1Password v5 (app store version) with iCloud sync the vault should already be in the OPVault format.

    I did however still find data in the ~/Library/Application Support/1Password as well as ~/Library/Application Support/1Password 4 folders, which I then deleted, as they are from older (non-AppStore) versions, according to https://support.1password.com/data-locations/mac.html

    Just as a FYI, maybe it’s the same for you.

    Reply
    • Dave Teare
      Dave Teare says:

      Thanks for sharing your experience, bOli.

      Just to be 100% clear for others reading this, they should NOT delete the ~/Library/Application Support/1Password 4 if they are using our webstore version. This is the folder where we store your database (which uses the newer format) so deleting it by accident will be a very bad thing.

      ++dave;

  2. Lap
    Lap says:

    What about users that use Wi-Fi sync between OS X and iOS? Seems that there is a guide for WI-Fi sync between Android only and not iOS; and for iOS it is only when using iCloud.

    Reply
  3. Rich
    Rich says:

    Argh. What the official line is isn’t true for the privacy conscious anyway. Basically every username for every site you’ve connected is visible for any copy of agile keychain you’ve ever had. That means if any machine or backup is every compromised you have a problem. If u have an USB key somewhere that you gave to someone. If u backed up your Dropbox. If any machine has ever been hacked since 2008.

    So I think the right answer is

    A. Delete any agile keychain u have in any backup anywhere. Unless ur sure that those machines have not been compromised. Since you have no way of knowing by definition that you should wipe. It’s complicated to do this but a global search of all your machines and all your backups is needed. I use crash plan and have lots of machines but I’m trying to go thru them all and wipe them.

    B. For your current system convert to opvault asap. You lose shared vaults immediately which is sad and there isn’t a fix date but to be safe do that. The simplest way seems to be to do that manual conversion and then switch to iCloud sync.

    C. As another aside no file format is perfect. Last month I had a corruption of agile keychain. It ballooned to 154MB with zillions of duplicates as Dropbox went crazy between machines. Do as always for any software do a backup and I actually also do a clear text export end then lock that file.

    D. Ok as always id say. Do not use duplicate passwords and for the truly paranoid rotate all your passwords. It’s a good time to check watchtower to see what underlying sites have been hacked

    Reply
    • Megan O'Brien
      Megan O'Brien says:

      Hi Rich,

      I sincerely apologize for the frustration here, but I hope that your conversion to the .opvault format has been smooth!

      I just wanted to reiterate something that Dave has said earlier in the comments. Many of us on the AgileBits team still use and trust the .agilekeychain format to store our data – including myself! I can assure you that we would not offer this format at all if we thought that it was unsafe.

      If you would like to continue this conversation, please drop us a line at support+social@agilebits.com. :)

  4. emmedema
    emmedema says:

    Quite disappointing that Android would be the last and “unplanned” platform in your road map….”we’re planning on using the new format in Android in the future” really leaves much to be desired as a time table.

    Any chance you could be more precise? Does “future” mean something in the ballpark of 1 month, 6 months or 5 years?

    Thanks

    Reply
    • Megan O'Brien
      Megan O'Brien says:

      Hi emmedema,

      I wish I could give you more detail on when .opvault will be ready for 1Password for Android, but we make it a point to not make promises on unreleased features. There are many factors involved in the implementation of a new feature, especially one as major as an entirely new data format, and we’d hate to promise something that became impossible due to factors beyond our control.

      I can assure you though that our developers are aware that this is an issue that is important to users, and we will do all we can to have this resolved soon.

    • Megan O'Brien
      Megan O'Brien says:

      Hi there,

      At this time, it is not possible to sync between 1Password for Windows and 1Password for Mac with iCloud. We never say ‘never’ though, so who knows what the future will bring!

  5. richt
    richt says:

    Is anyone else aggravated that to use iCloud sync, if you bought the “wrong” version, you need to spend $30 (again!) to get the “correct” version of 1Password. Argh, this is all so frustrating, why is this whole system so assymetric?

    Reply
    • Megan O'Brien
      Megan O'Brien says:

      Hi there,

      I sincerely apologize for the frustration here! We strive for feature compatibility across all platforms, however with 1Password on 5 platforms, it’s not always possible to reach that goal. iCloud sync is currently only available through the Mac App Store, but I’d be happy to help you make the switch to .opvault with your data in Dropbox. There are instructions on how to do so here: https://support.1password.com/switch-to-opvault/

      Please send us a message at support+social@agilebits.com if you have any questions about the process!

  6. Dave Teare
    Dave Teare says:

    Hello Bob,

    I hope you had a chance to say hi to the other Bob already :)

    Dropbox sync is basically identical to Folder Sync. The only difference is Dropbox sync will pick different folder locations. The Folder Sync uses whatever format Dropbox sync is configured to use, so by default it will use the AgileKeychain format. This is because Folder sync is often used for syncing with Android, which doesn’t support OPVault format yet.

    ++dave;

    Reply
    • other bob
      other bob says:

      Hi Dave

      The Folder Sync uses whatever format Dropbox sync is configured to use, so by default it will use the AgileKeychain format.

      I assume that this is not something that I can change? I don’t see anything within the prefs that allow me to change the default.

      Is there a plan and path that can be stated as to how and when 1Password will proceed with the migration to OPvault?

      thanks,

    • Megan O'Brien
      Megan O'Brien says:

      Hi other bob,

      The instructions in our knowledgebase (https://support.1password.com/switch-to-opvault/mac.html) provide instructions on how to change that default from .agilekeychain to .opvault. This change will work for both Dropbox and Folder Sync.

      At this time, I can’t provide any more details on when the migration to .opvault will be implemented, but I can assure you that our team knows it is important to users and we’ll do what we can to resolve this soon.

  7. Rick
    Rick says:

    Your support note for conversion to OPVault (https://support.1password.com/switch-to-opvault/) should also clear instructions on how to ensure that all prior versions of the AgileKeychain stored on Dropbox are permanently deleted.

    I’m still not certain if I did this correctly, but it seems that Dropbox syncing should be turned off and all deleted versions in Dropbox purged before using the terminal commands to change the format to OPVault. Otherwise, old keychains will still be on Dropbox servers until/unless Dropbox automatically purges them.

    See http://www.labnol.org/internet/permanent-delete-dropbox-files/19212/ for more information about permanently deleting Dropbox files.

    Reply
  8. Bo S
    Bo S says:

    I choose 1Password because I’m cautious and try my best to be as safe as possible. I wish Agilebits would also have this goal, be as safe as possible. “Safety first guys!” If Agilebits shared my view of safety you would have given all users running the latest version the choice to migrate to OPVault, with the alternative to stick with Agilekeychain if they choose to do so after beeing informed of it’s implications.

    No it’s not a leak, and not a hack. But when the contents is hidden behind a vault and a password it surely gives the impression that whatever’s behind that, is as safe as behind 5in of reinforced steel.

    Reply
    • Megan O'Brien
      Megan O'Brien says:

      Hi Bo,

      Thanks very much for sharing your thoughts here. I really appreciate that you chose 1Password because you value security, and I’m sorry that you feel that we’ve fallen short of your standards here.

      I want to reiterate something that Dave has said earlier in the comments. Many of us on the AgileBits team trust the .agilekeychain format for storing our data – including myself! We would not have this data format available for anyone if we did not believe it safe. That being said, we understand that this is important to you all, and we’ll do what we can to regain your trust here.

  9. Tim
    Tim says:

    While I am sure Dale is right about his finding and a stand-up guy, I find it very difficult to take security advice from anyone working at Microsoft.

    Reply
  10. Michael Kronstadt
    Michael Kronstadt says:

    I use 1Password on iOS, Mac (v 5, not beta, purchased from your website) and Windows (v 4) using agilekeychain and DropBox.

    If I want to convert to the OPvault format, where should I start :-) or does it matter which app I start with?

    Reply
  11. James
    James says:

    Of course, those of us with Windows and Android can’t use OPVault unless we also want to install the horrible bonjour protocol to mess up our network. I can sync files perfectly fine across every machine, so why oh why does the trumpted 1Password4 for Android STILL not support OPVault!?

    Reply
  12. James
    James says:

    OPVault is a far better format, but not if we can’t use it!

    I run Windows and Android and will not be messing up my network with bonjour (nor is my PC on at the same time I’m necessarily wanting to sync my phone). All the devices on my network have an in-sync copy of my vault, but Android can’t open OPVault. Why is this STILL the case when the Android version has only been redeveloped relatively recently and was launched with much fanfare!?

    Reply
    • Tim
      Tim says:

      People need to realize that nothing that is digital is secure. Ever. 3 years from now someone will discover a security hole in OPVault.

    • James
      James says:

      I’m not sure how that relates to my earlier comment, but I completely agree. The issue here is that OPVault is ALREADY 3 years old, and I can’t even use it… I’m stuck on something that’s 8 years old and with known “limitations”.

      1Password 4 for Android was re-written from the ground up a year ago, why does it not support the latest format?

    • Megan O'Brien
      Megan O'Brien says:

      Hi James,

      Thanks so much for sharing your thoughts here! I’m sorry you’re feeling frustrated with .opvault. I can assure you that our developers know this is important for users. I wish I could give you more details here, but we make it a point not to promise anything with respect to unreleased features. There are just too many factors involved that could affect a release date – many of which are beyond our control.

      I will be sure to pass along your feedback to our team and let them know that you are excited to see .opvault on 1Password 4 for Android just as soon as possible.

      If you have any further questions, please send us a message at support+social@agilebits.com, we’d be happy to continue the conversation there!

« Older Comments

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *