Security breaches are never a good thing, especially those that involve compromised usernames and passwords. Regardless of data stolen, the severity of a hack largely depends on what site or service was targeted.
For example, someone stealing the login details to a free message board is much less of a concern than having your online banking details compromised – assuming of course that you don’t use the same credentials for multiple / every online account (you don’t, right?). The latter scenario applies to password managers like 1Password which is why the company is changing the way it encrypts user data.
Microsoft engineer Dale Myers penned a blog post over the weekend highlighting a weakness in the way 1Password handles the URLs for websites you visit. As it stands today, site URLs aren’t encrypted – something that was done by design when the AgileKeychain was developed in 2008 to reduce the performance hit.
The team introduced a new format called OPVault in 2012 that encrypts a lot more metadata. Concerns over backwards compatibility with Android, Windows and Dropbox synching, however, convinced them to take a conservative approach and not automatically migrate everyone over to OPVault.
Myers’ post, the team said, reminded them that it was time to make the switch to the new format. As such, they’ve already started transitioning to OPVault. For those that don’t want to wait it out, it’s possible to manually make the switch using these guides for Mac, Windows, iOS and Android.