Ok, breathe deep and… release. Let’s now approach this whole passwords managers thing with a bit of a level head. It was only a few months ago now that I wrote about how The Sky is Falling and Password Managers are Risky. This was in the wake of LastPass’ incident where some of their master password hashes got out there into the wild. At the time, there were those that claimed password managers were the devil’s work and here, laid bare in front of us all, was evidence that their demise cannot come soon enough. Then there were those such as world-renowned password cracking expert Jeremi Gosney who said he was so unconcerned about the incident that he didn’t even feel inclined to change his master password. And that was really the point in this case – LastPass’ implementation was resilient against just such an incident and the real world impact was very close to zero.
And now this week the news is all about 1Password, not due to any specific compromise of the system but because of how information is stored about the sites users of the software have created passwords for. Whilst credentials themselves are encrypted in the software’s keychain, metadata about the sites the passwords belong to is stored in the clear. If you elect to publish this publicly to the web somewhere then people can see the file, kinda like if you publish personal photos to public locations then yes, people can see those too. If you chose not to publicly share these then no, people cannot see what is in there.
The risk of making this info public is that people may then engineer credentials out of you. They know you have an account on, say, eBay so they send you a phishing email. But of course most sites will already disclose if you have an account there anyway, even when they’re allegedly “discreet”. There’s the argument that you may store a site in the metadata file that contains sensitive data such as a reset token for your password, but only if the site screws up the implementation badly enough. When they do (and there’s always a small handful that do), then that same risk manifests itself in the browser history and potentially in logs at various locations (including the proxy) and possibly in the referrer header if you click an external link to another site. In short, the fact that it may also appear in a password metadata file that should be kept private anyway should be the least of your worries.
This issue got traction because the blog post had a good headline – “1Password Leaks Your Data”. The media loves headlines like this as they’re a great soundbite and they drive much more traffic than “The Private 1Password Metadata File Contains Clear Text URLs That Can Be Viewed by The Public If You Publish It Publicly”. That just doesn’t have the same ring to it which is unfortunate, particularly when the author of the post concludes that he will continue to use 1Password anyway. His analysis is actually very good and yes, 1Password should strengthen their implementation (and they talk about how you can do that yourself here too), but unfortunately as with LastPass’ recent incident, the facts got lost amongst the hysteria.
For password managers of all flavours and for future reference when these issues arise again in the future, look at it like this: how do they compare to the alternative? A strong hash of a good master password made public or a metadata file stored in plain text will always trump our lousy human memories and propensity towards bad passwords. That’s how to look at these incidents.