April 10, 2012
Following the discovery of a security hole in the handling of login credentials of the Dropbox iOS app, AgileBits has updated 1Password, its bestselling password management app for iOS, to version 3.6.5 to reflect changes in the way it stores Dropbox login information as well as changes in other important security-related aspects. Prior to this update, Dropbox OAuth tokens, which allow quick connection to the popular syncing service, were stored by 1Password in a location that turned out to be vulnerable to access by malicious hackers. Once a different user gains access to your device and, subsequently, the file that contains your OAuth token, he can easily copy this file to other devices and log in to your Dropbox account from these devices. Although your 1Password data saved in your Dropbox account remains encrypted, AgileBits is shrewd enough to reinforce the security of the communications between 1Password and Dropbox. In the new version of 1Password, Dropbox OAuth tokens are now saved securely in the iOS keychain, where they can no longer be accessed and copied to other devices. But perhaps a more significant new feature of 1Password is its implementation of Password Based Key Derivation Function version 2. In essence, PBKDF2 makes it far more difficult for attackers to crack your master password and arrive at your data's encryption key. PBKDF2 functions by providing additional resistance (1000 iterations, to be exact) to decoding attempts made through automatic password guessing software. In addition, 1Password 3.6.5 brings better support for the new iPad's Retina display and better login filling. Of course, more bug fixes are also made under the hood with the latest update. Also, with this update, AgileBits once again lends credence to its mantra: "Security is a process, not a product." The 1Password app is available in the App Store in three flavors: 1Password for iPhone ($9.99), 1Password for iPad ($9.99), and 1Password Pro (universal, $14.99).