1Password is changing the way it encrypts users data in an attempt to keep metadata protected.
The move comes after Dale Myers, a sofware engineer at Microsoft, exposed the password manager’s vulnerabilities. Myers post showed that the file formats being used by 1Password were not encrypted, meaning people who use the 1PasswordAnywhere service were having their login details saved in plain text, which isn’t ideal.
The reason 1Password hasn’t been encrypting its metadata is because when it first started out in 2008, it was unmanageable to decrypt users saved URLs every time someone wanted to access one.
This isn’t really an issue for people only using 1Password on their own machines as the company doesn’t save information on its own servers, but using the 1PasswordAnywhere service means the data is being accessed remotely on various machines, making it much more open to attacks.
1Password will be making the transition over the coming weeks, but if you’re concerned about security and want to make the switch now, you can do it manually using the instructions given by AgileBits, the app’s developer.