1Password Meta Data Leak

2-minute read
Security 1Password

Earlier today I came across this Tweet from Hacker News:

1Password Leaks Your Data http://t.co/3ETH2z6NIV – Hacker News (@newsycombinator) October 18, 2015

tl;dr: They seem to leak some meta data when you’re using the old Agile Keychain format. Though this can be bad enough, Dale Myers found that they’re not leaking any passwords or secure notes. This can be fixed by running a simple command on your Terminal. The command depends on which version of 1Password you’re using and where you acquired it. For version 5, from their website (not from the Mac App Store) it is:

defaults write 2BUA8C4S2C.com.agilebits.onepassword4-helper useOPVaultFormatByDefault true

The other options can be found in the linked article over on AgileBits’s Forums.

Let me summarise: Do not use the Agile Keychain format. It leaks your data. If you are using it, convert it to the OPVault format immediately.

After you’ve performed these steps on your computer, you might want to start from scratch on your mobile devices. I tried to merge the two vaults (the original one on the phone and the new one on Dropbox) into one, without luck. To do this, you can reset all the settings and data of 1Password within it’s settings. When you launch the app again it will prompt you with the initial setup screens.

It’s always a great idea to create a backup, especially when you’re fiddling around with your password store.