These days you will have surely read articles about a serious security flaw in 1Password, one of the best applications that exist for iOS and OS X and one of our favorites for the good work that its developers do with it, with constant updates at no cost to its users users. Personally, it is in the application that I trust to store my passwords, bank details, credit cards, etc. for years now, and I've been so concerned about finding out about this security flaw because I was very interested in it. As often happens in these cases, scaremongering and sensationalism floods the web (Let's not forget that it is what sells the most) so I am going to try to clarify what has happened and what consequences it may have.
The problem
Everything is based on a report published by a Microsoft engineer, Dale Myers, in which he assures that 1Password saves data unencrypted in its AgileKeychain encryption system. These unencrypted data are specifically the web addresses of those pages that we have saved in this service, and their titles, but never our access data itself, which does remain perfectly encrypted. Why keep this data unencrypted? Basically because encrypting them at that time (we are talking about 2008) caused problems for some devices when accessing that data and caused performance and battery problems.
So far one can think, "What is the problem?" Many users use 1PasswordAnywhere, a function that Dropbox uses to store your 1Password keys and allows you to access them from any browser without having the application installed on the device. This is precisely where the main problem lies: Google indexes this content when it is stored in an html file, and someone with the necessary knowledge can have access to this file and know that data without encryption. I insist again, never your access data, only web addresses and names of the webs that you have stored in 1Password, never your credentials.
The solution
The 1Password developers themselves already solved this problem back in 2012 with a new way of saving your data called OPVault. This new system encrypts all data, including those that were not encrypted with AgileKeychain. So what is the problem? That they had to decide whether to use OPVault as the sole encryption system, or to continue using AgileKeychain as an alternative. And they opted for this second option.
Why maintain a less secure system? OPVault did not pose a problem with iOS and Mac OS X users, but with Windows, Android users, and those who chose Dropbox as their data sync system. Older 1Password versions of the latter were not compatible with OPVault, so they had to decide what to do: leave those old versions behind or continue giving compatibility to everyone. And they opted for this second alternative, keeping the option of using AgileKeychain.
The real magnitude of the problem
The most important thing is to insist on the data that someone who could reach that html file and read your data would have access to (which is not easy): web addresses and web titles. That's all. Yes, it is true that nobody has to know this data, and that it is a fault that must be corrected, but There is no need to fear for your access data to the websites or your credit card numbers, which is a relief.
Once this is clear, it is also necessary to point out who are those who have this problem: those who still use AgileKeychain. Those users who already use OPVault don't have the slightest problem either. Who are the ones using OPVault? Those who use 1Password for iOS and OS X with the iCloud sync option enabled (as is my case). If this is also your case, then there is no problem with you. If you are a 1Password user on Windows, Android or you use Dropbox as a synchronization system then you have to change to OPVault as a storage system, which you have perfectly explained in the Agilebits blog, 1Password developers (at the end of the article).
Great article Luis, that is how rigorous journalism should be and even more so when it comes to security.