1password vulnerability and the (really) poor workarounds

Well the biggest problem are lots of passwords and the solution are password managers but what if password managers get hacked or have vulnerabilities? Or are closed source? Sadly both the managers I’ve used have both. 

Lastpass. I switched away last year because their site was compromised and more importantly they have your key so they are vulnerable to government orders that can force them to provide all your passwords and of course there is always the next hack. Poorly. There went cross platform password management. And they are closed source so there isn’t anyway to know about back doors. Two strikes and sigh. 

1Password. My recommendation for the last year. Sadly their default file format agile keychain exposes in clear text all your sites and user names although passwords are encrypted. And of course they are closed source. Solution is to convert immediately to their newer opvault format. This ain’t easy as it only used for iCloud sync and wifi sync and not Dropbox sync so there goes InterOp with windows and android and shared vaults. More worrisome is they don’t seem to take it too seriously because old copies of agile keychain on any backup or USB key are vulnerable. So if say 1 and 1/2 strikes. Fortunately the Internet is pretty good at publishing vulnerabilities. But makes you wonder how seriously they take vulnerabilities. You really want your password and security vendors to be more paranoid than you. Otoh at least they publish their formats and most importantly are zero knowledge on your master passwords. They can decrypted your keys although of course they could be required to insert a back door into their closed source updates. 

Apple. Given all this I’m really thinking about just moving to Apple password management. They seem to take user security seriously and even said they could not decrypt beyond iOS 8. They of course could always be forced to put in a back door. 

Open source. I looked but there doesn’t seem anything that does password sync and bus open source and usable. Time to look again. 
In the meantime if you do use 1password here are the recomendations. 

  1. If you have started usng 1password in the last year and use iCloud sync. You should be ok. Do a global search on your machine for agikekeychain to be sure. 
  2. If you use Dropbox sync you are vulnerable or if find agikekeychain on your machines then you need to start deleting those files because what the official line sn’t true for the privacy conscious anyway. Basically every username for every site you’ve connected is visible for any copy of agile keychain you’ve ever had. That means if any machine or backup is every compromised you have a problem. If u have an USB key somewhere that you gave to someone. If u backed up your Dropbox. If any machine has ever been hacked since 2008. 

Roughly here’s a guide for the paranoid:

A. As another aside no file format is perfect. Last month I had a corruption of agile keychain. It ballooned to 154MB with zillions of duplicates as Dropbox went crazy between machines. Do as always for any software and make a copy and backup and I actually also do a clear text export end then password protect that file. 

A. Delete any agile keychain u have in any backup anywhere. Unless ur sure that those machines have not been compromised. Since you have no way of knowing by definition that you should wipe. It’s complicated to do this but a global search of all your machines and all your backups is needed. I use crashplan and have lots of machines but I’m trying to go thru them all and wipe them. 

B. For your current system convert to opvault asap. You lose shared vaults immediately which is sad and there isn’t a fix date but to be safe do that. The simplest way seems to be to do that manual conversion and then switch to iCloud sync. 1Password explains how which is basically to open terminal on your Mac and then put in a command line that writes a parameter. From then on that particular 1Password creates opvault files not agilekeychain. It looks ilke you have to do this for all your computers. Then you convert to opvault format, by removing the Dropbox sync and then recreate the sync to get the opvault file create.

C. Go to all your iOS devices and you should see sync is disabled on all of them since the agilekeychain isn’t found. There is a problem where you actually need to buy a different version of 1Password (Argh!) since the version from the Mac App Store does iCloud sync, but the version from Agilebits does not. Are we aggravated right now! The only solution is to spend twice or use folder sync and you lose all local sync access. I can’t tell you how really depressing this, but that’s the state of this nation.

D. Ok as always id say. Do not use duplicate passwords and for the truly paranoid rotate all your passwords. It’s a good time to check watchtower to see what underlying sites have been hacked