1Password on Mastodon

Security: MetaData Encryption question

Community Member

Back in October 2015 there was the issue of 1Password metadata not being encrypted, essentially while the passwords and login credentials were encrypted, the actual website URLs were not encrypted.

I just installed 1Password. During the installation 1Password's vault creation defaults to the file format of Agile Keychain which still leaks your metadata in the file contents.js showing exactly which websites you have saved in 1Password. This information file is available where you have your stored local password vault: 1Password.agilekeychain\data\default\contents.js

DBrown, Community Moderator commented in July 2015 that "...AgileBits is moving away from the Agile Keychain..." it is apparent AgileBits has not and still defaults to this format upon installation.

The only fix to this is to manually change the vault to the .opvault format or if you have prior warning of this issue before installing 1Password, seclect the .opvault as the vault format.

So my question now is: Why has AgileBits not completely gone away from the Agile Keychain format which DBrown mentions back in July 2015?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided


  • AGAlumBAGAlumB
    1Password Alumni

    So my question now is: Why has AgileBits not completely gone away from the Agile Keychain format which DBrown mentions back in July 2015?

    @Indiana: The short answer to your question is because AgileKeychain is still incredibly useful, compatible, and secure. You can read more here:

    Your passwords are safe when using the Agile Keychain format

    But more to the point, it's a personal choice. 1Password is meant to keep sensitive, private information secure, but URLs are common and public. "Leaking" suggests that 1Password is squirting information about you out into the ether somewhere, and that's simply not the case. A "warning" suggests that there's a danger inherent in using AgileKeychain, but that's not the case either. The only way someone has your vault's metadata is if you give it to them.

    On the other hand, we're moving to OPVault going forward because with advancing technology there's less of a performance penalty to encrypting everything, and the OPVault design overall improves on AgileKeychain in a number of ways.

    As you mentioned in your post, you had the option of using OPVault when you setup 1Password, but it isn't the default. As it's available everywhere people are using 1Password it will eventually become the default. But 1Password won't help anyone if this transition happens prematurely and causes compatibility problems or sync issues for people. I hope that helps clarify things. Be sure to let us know if you have any other questions! :)

  • IndianaIndiana
    Community Member
    edited April 2016

    Which brings me to my next point. Please include SpiderOak as a cloudsync alternative for 1Password. This would help protect users metadata. :)

  • BenBen

    Team Member

    Thanks for the suggestion, @Indiana. We're not currently planning to add any further 3rd party sync providers, but if/when we do we'll certainly take SpiderOak into consideration.


This discussion has been closed.