You are using an outdated browser. Please upgrade your browser to improve your experience.
There's a serious leak in 1Password that you should plug now

There's a serious leak in 1Password that you should plug now

October 20, 2015

If you use a certain feature within the 1Password app, you might want to take some extra steps to secure your data. The 1PasswordAnywhere feature, which allows you to access your data without needing the client software, leaves some information unencrypted, as discovered by Microsoft software engineer Dale Myers. What’s even worse, Myers points out, that information could end up being indexed by Google.


Here’s the issue. The 1Password app stores all of your data in a hidden directory on disk, such as in your Dropbox account if you have the software set to synchronize that way. Inside this directory is a file that is password-protected, which shows you all of your passwords when you unlock it. Most of the files within this directory are encrypted, but a pretty crucial one is not.

This particular file contains the name and address of every item you have stored in 1Password. No actual passwords, mind you, but every website, login name, software you have licenses for, banks and credit cards you do business with, and so forth.

How does this end up on Google? Well, it turns out that quite a few people put links to their 1Password keychains on their Web pages, for easy access. Google has indexed some of these already, so you can do a pretty simple search to find someone’s keychain. Once you have a direct line into someone’s keychain directory, you can alter the link to bring up the unencrypted file.

From there, it’s easy to find out the owner of that keychain and where they live, along with all of the entries in their 1Password file, sans the actual passwords. With this information, nefarious third parties could contact you and convince you to reveal personally identifiable information, such as passwords or credit card numbers, by leading you to believe your computer had been compromised.


Agilebits, the creators of 1Password, actually did this by design. When they first built the keychain, the app had quite a bit less processing power than it did then, so they left that file unencrypted to make 1Password load and perform faster.

Here’s how to fix it. Change over to the OPVault format that Agilebits launched in 2012. This format kills the ability to use 1PasswordAnywhere, but it keeps your data much more secure. Automatic migration to the new format is coming soon, but Agilebits has posted instructions to manually migrate to the new format, if you want to be safe and make the change sooner rather than later.

Mentioned apps

1Password - Password Manager and Secure Wallet
1Password - Password Manager and Secure Wallet
AgileBits Inc.

Related articles