1Password has decided to switch its default file format as a response to a post by Microsoft software engineer Dale Myers, explaining its current one's vulnerabilities. Myers has examined his 1PasswordAnywhere's .agilekeychain file recently and found that its metadata isn't encrypted. That means the sites you use with the password aggregator and even their precise login locations are stored in plain text. 1PasswordAnywhere is the program's feature that gives you a way to access your saved passwords without having to install the software itself.
Myers explained that if anyone gets access to that file, they'd be able to tell which sites you've signed up for exactly, find out the bank accounts you have, as well as discover which software licenses you bought. They can then employ other tactics from there, such as reset passwords or call up banks pretending to be you. In addition, Google indexes the keychains people put on their websites for easy access; Myers was able to discover someone's job and family details just by doing a simple search based on his keychain.
This "password anywhere" feature automatically stores data using the company's older Agile Keychain format. The team explained in their response that since that format was introduced with the program in 2008 back when devices were much simpler, they decided not to encrypt its metadata for performance purposes. The company has released a newer and safer format called OPVault since then, and that's what will now become default option. If you can give up 1PasswordAnywhere for the sake of additional security, you can follow the company's instructions on how to migrate your log-ins right here. In case you can wait a bit longer, though, the process will become much easier: once 1Password is done making OPVault the default, it'll launch a simple migration tool you can use for the switch.
[Image credit: Ervins Strauhmanis/Flickr]