1Password is changing data formats to boost metadata encryption

By Shawn Knight
Oct 20, 2015
Post New Reply
  1. Security breaches are never a good thing, especially those that involve compromised usernames and passwords. Regardless of data stolen, the severity of a hack largely depends on what site or service was targeted.

    For example, someone stealing the login details to a free message board is much less of a concern than having your online banking details compromised – assuming of course that you don’t use the same credentials for multiple / every online account (you don’t, right?). The latter scenario applies to password managers like 1Password which is why the company is changing the way it encrypts user data.

    Microsoft engineer Dale Myers penned a blog post over the weekend highlighting a weakness in the way 1Password handles the URLs for websites you visit. As it stands today, site URLs aren’t encrypted – something that was done by design when the AgileKeychain was developed in 2008 to reduce the performance hit.

    The team introduced a new format called OPVault in 2012 that encrypts a lot more metadata. Concerns over backwards compatibility with Android, Windows and Dropbox synching, however, convinced them to take a conservative approach and not automatically migrate everyone over to OPVault.

    Myers’ post, the team said, reminded them that it was time to make the switch to the new format. As such, they’ve already started transitioning to OPVault. For those that don’t want to wait it out, it’s possible to manually make the switch using these guides for Mac, Windows, iOS and Android.

    Permalink to story.

  2. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,274

    I'm guilty of using the same login credentials for more than one site but then I use a 2 stage verification for those. Nothing is risk free but it's less risky.
  3. jobeard

    jobeard TS Ambassador Posts: 11,123   +982

    Let's be clear; metadata is (gulp) data about data and you might visualize it as
    UserID ->Location, OS, Browser, FB-id, Twitter-Id, Email or a raft of other 'factoids'
    Now for Online Banking, your UserID+Password{+optional 2factor info} gives access to your account. Notice that the metadata {Location, OS, Browser, FB-id, Twitter-Id, Email} provides no compromise of the banking access whatsoever.

    Sure that metadata might compromise your privacy, but in no way enhances the ability of a hacker to access your account.

    Cudos for enhancing privacy !!! But don't get naive that this is a giant leap for mankind.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...