Tag: 1password

Categories
software

1Password Announces Cryptocurrency and NFT Heel Turn

1Password has been the password manager I’ve recommended to anyone who isn’t using one for years. It is relatively easy to use, seems reasonably secure, and available on most of the platforms you’d want it to be on. I won’t be recommending 1Password for much longer if AgileBits, the company behind 1Password, sticks with the plans that AgileBits’ Matt O’Leary announced support for today:

We’re making it easier for Phantom wallet owners to save their account password, secret recovery phrase, and wallet address in 1Password. Phantom is a digital wallet that lets you manage cryptocurrencies, tokens, and NFTs built on the Solana blockchain.
This is the first of many partnerships that we’ve been working on in the cryptocurrency space. It’s always been our goal to make it easier for everyone, regardless of their technological proficiency, to protect everything that’s important to them. And for an ever-growing group of people, everything includes digital assets.

[…]

Here at 1Password, we want to help secure everything that’s important to you, including your cryptocurrency wallets. We believe your keys and recovery phrases deserve the same level of protection as your credit and debit card numbers, medical records, and everything else you have stored inside 1Password.

Know someone who thinks crypto is too complicated or overwhelming? So do we. Most people don’t know what a recovery phrase is, or what will happen if they lose it. We know that getting started and securing your hard-earned investments should be simpler. That’s where 1Password comes in.

1Password has always been a place to store wallet addresses, private keys, and login credentials for cryptocurrency exchanges. But with the Save in 1Password button, it’s now easier than ever for Phantom wallet owners to gather and protect this information. We’ve also created a new item type for cryptocurrencies in 1Password, with clearly-labeled fields for everything you might want to store.

Let’s be clear: NFT’s and cryptocurrency are a grift that operate like pyramid schemes. They need fresh new buyers so that the people at the top of the pyramid can cash out. Once new users buy in they quickly become evangelists for the scheme because that is also the only way for them to cash out. Like regular capitalism, only accelerated to the point where there isn’t even the illusion of legitimacy and there is no purpose for these grifts except to provide a way to cash out for people higher up in the pyramid. Capitalism theoretically turns work into a roof over your head and food on a table. Cryptocurrencies and NFTs can’t pay rent or buy food, they have to be converted back into actual money which is going to be tough to do when the traded value of many cryptocurrencies have been tanking and will continue to be volatile and unreliable for everyone who is at the bottom and can’t afford to pump the market.

Even the ads during the Super Bowl didn’t help prop up the fraud to stop the slide and now that’s what AgileBits has decided to get behind. AgileBits are sinking their reputation alongside cryptocurrency grifters. There have already been other cuts that AgileBits have foisted upon their users like switching away from native applications to Electron web apps and pushing users towards toward subscriptions & AgileBits’ online password vault service instead of using another cloud file hosting provider. It seems like much of this is driven by the venture capital money that AgileBits took back in 2019 after operating for over a decade without giving up control of their business.

Support for grifts like cryptocurrencies and NFTs will likely be the final straw for my use of 1Password and I am going to stop recommending it if AgileBits don’t change course in response to the backlash they’re receiving.

Categories
video games

“I’m upset that you changed the password to the PSN account I stole from you”

Seriously crazy stuff going on with PSN account resellers in this article from Patrick Klepek:

A few weeks ago, Mic Fok got a weird email. The person writing it claimed they’d been playing Overwatch on a PlayStation Network account for more than six months, but the password had changed recently. But why would Fok know anything about this random dude’s account? As it turns out, they’d “purchased” Fok’s account through a website called PSN Games, one of many businesses trafficking in the selling of cheap games by sketchy means.

The individual who bought Fok’s account was an Overwatch fan named Bennett Eglinton.

“Hello I purchased overwatch from psngames.org and this email was used as the account info,” reads an email from Eglinton, sent in early March. “However the password I was given for the PlayStation Network sign in no longer works. Did you happen to change it? Can I get the new info.”

As Patrick mentions in the article, this is a great reason to use unique passwords everywhere with a password manager. I use and recommend 1Password despite them switching from standalone purchases to a subscription. You should also use the free Have I been pwned? service to check all of your email addresses for public account credential leaks.

Categories
science security

Misleading Headline Popularity Rises 200%

In a post titled “1Password Leaks Your Data”  software engineer, Dale Myers, argues that 1Password’s 1PasswordAnywhere feature is very insecure. Here’s how Myers describes the feature:

For those of you who don’t know, 1PasswordAnywhere is a feature of 1Password which allows you to access your data without needing their client software. 1Password originally only used the “Agile Keychain” format to store their data (not including when they were OS X keychain only). This format basically stores your data as a series of JavaScript files which are decrypted your data when you supply your master password. Since the files are JavaScript and implementations of various crypto algorithms exist in JavaScript, there was no reason why AgileBits couldn’t come along and make a HTML and JavaScript client for viewing your data, so they did.

If you browse to your .agilekeychain “file” on disk, you find that it is actually a directory. Inside this directory is a file named “1Password.html”. If you access this file over HTTP (note that using the file protocol won’t work), you will be greeted with a grey page which has a lock image and a password field. Enter your password and your keychain will unlock and you have a read only view of your data.

So what’s the problem? Well, it turns out that your metadata isn’t encrypted. I discovered this after having a sync issue with Dropbox (I use Dropbox to host my keychain). The file that had issues was 1Password.agilekeychain/data/default/contents.js. Being a curious kind of guy I opened the file to see what was in there. The answer is the name and address of every item that I have in 1Password. Every single one. In plain text.

This contents.js file does exist. It describes in plain text every URL that you have a login for in 1Password, Myers also goes on to explain the security issue in greater detail and a post in response by Agilebits (the developer of 1Password) gives their roadmap for phasing out the AgileKeychain format that is still the default in 1Password today in favor of the OPVault format that they’ve been working on for years. Technical descriptions of both formats for storing passwords and metadata aside, the important part is that AgileKeychain has this issue and OPVault doesn’t and Agilebits is working on fixing it and moving everyone to the more secure format. Neither format leaks your passwords and the headline and content of Myers’ post is misleading.

Myers’ description of the security hole gets even worse:

But it gets worse. I decided to have a look and see just how bad things were. Thanks to people having links for easy access to their keychain on their websites, Google has indexed some of these. A simple search brings up results. By looking at one of these it was a simple matter to identify the owner of the keychain and where he lived. I know what his job is. I even know the names of his wife and children. If I was malicious, it would be easy to convince someone that I had compromised their account and had access to all of their credentials. Not to mention the fact that they have revealed their location online which may put their personal safety at risk.

And in describing the newer OPVault format:

…Since the data is stored as JSON, I can’t figure out why, but perhaps AgileBits decided having your keychain accessible on the internet isn’t the best idea? 

The conclusion a reader of Myers’ post might reasonably come to if they read nothing else is that 1Password has a security hole where every site you’ve ever logged into has been leaked publicly. 

AgileBits was going easy on Myers in their response. The truth is that none of this public sharing happens by default.

Even if you store your 1Password keychain in the current default format of the AgileKeychain and decide to use Dropbox for syncing, it is not automatically pushed out to the public. A 1Password user would have to ignore AgileBits’ instructions for accessing 1PasswordAnywhere via Dropbox’s website and intentionally choose the option to share the files publicly via Dropbox or another method.

If you use 1Password, and have decided to sync it using Dropbox, you can check if you have shared your keychain directory publicly by going to the sharing section of Dropbox’s website and checking the list of directories and files you share on Dropbox. I would be extremely surprised if many people using 1Password have done shared their 1PasswordAnywhere files publicly.

Myers’ article is barely accurate in describing the extent of the contents.js security hole. If your computer’s hard disk isn’t encrypted anyone who has access to your computer, or anyone who can circumvent the encryption on it, could easily access the contents.js file and know what sites you have logins for. If anyone was boneheaded enough to share the file publicly, they may have unknowingly also shared the list of sites that they’ve stored passwords for.

By default, the web browsers FirefoxSafari, and Chrome also leak all of our web browsing history in a sqlite formatted file that is trivially viewable by anyone who has access to an unencrypted computer with a sqlite database browser. Just like 1Password these browsers don’t by default store this information publicly and you would have to go out of your way to make the data more insecure by sharing it publicly on the web.

The majority of Myers’ article is misleading in giving the reader the impression that contents.js is shared publicly by default. It is good that in response AgileBits appears to be accelerating their timeline for moving everyone to the OPVault format for storing passwords and metadata, and it should not have required Myers’ public shaming to do that, but it is ridiculous to scare people off of this password manager when their passwords security was never in doubt as even Myers’ concludes at the end of his article.