How 1Password Has Failed Me...

2014-04-22 15:25 PDT

I have been using 1Password for a couple of weeks now, ever since Heartbleed (the OpenSSL heartbeat bug that affects 1.0.1-1.0.1f) was made public in early April.

Prior to all this Heartbleedy stuff, our IT department had kept all of our most secret and treasured passwords in a nice .csv file. It was clear that it was now time to graduate to a password manager, and a few of the folks int he office suggested 1Password. So, I went out and bought a copy for me and started putting my personal stuffs in there.

I created a personal (primary) vault and a secondary vault for our IT department. I imported the .csv into the IT vault and everything seemed great. Folks were able to connect to in via Dropbox Sync and the effort to change out our passwords to proper random strings and storing that in 1Password was under way.

In the meantime, I had also begun the process of making sure that my personal password to systems both at work and on the interwebs at large were safely stored in 1Password, and of course I was generating new random strong passwords for each site as I used them. I was careful to put my passwords in my vault and the IT passwords in the IT vault. In fact, I made a couple of mistakes, and there were a couple of instances where I signed into a site and stored my personal password in the IT vault. I quickly fixed that, and changed the passwords. This happend exactly three times - until last night.

Last night I was riding the bus home and surprised to find out that fifty-eight items from my vault had been transferred into the IT vault. Not only that, but seven of those items had then been removed from my vault.

When I looked at the itvault.agilekeychain on Dropbox, NONE of these fifty-eight items were in there… but my boss was swearing up and down that he could see my credit card numbers, bank account info, usernames, passwords, everything! It was all there…

This morning, when I came into work, I found that there were copies of fifty-one items in the IT vault that were mine, and seven items that were mine, but no longer in my own vault.

I immediately set about remediating this. Marking all fifty-three items in my vault with a “compromised” tag, and worked on retrieving the items from the IT vault, which were still not showing up in the .agilekeychain (1Passwordeverywhere nonsense). I could not delete these items from the IT vault. They simply wouldn’t be removed. Eventually I was able to export them so that I had a record of them, and then I exported the good work we had done in the IT vault, destroyed it, and recreated it so that it didn’t have my stuff in it. However, all my co-workers now had access to all my stuff… and they are pranksters to be sure.

I am glad that we are still trial-ing this software, and that we haven’t purchased it yet for everybody on my team… but I do have buyers remorse for the family pack I bought so that my wife and I could also practice good passwording.

When trying to contact AgileBits, (the publisher of 1Password) about this issue, they direct you to their support forums and claim that is the fastest way to get service. Unfortunately that support is not fast enough… I contacted them at 9:23 AM PDT today, and it is now 3:25 PM. I have not heard a word from them. Granted, they live in Toronto and I am in Seattle. But that means they got my contact around 12:30 PM their time - and have not yet responded to what I consider a fairly serious security breach.

At this point I think the best that can be said, is that I am very very very disappointed by 1Password, and by AgileBits as a company that should be standing by their product. I feel that they need to be more responsive when somebody brings up an issue like this on their support forums. I mean… this is supposed to be a tool designed to keep passwords secure, and all it has done for me is share all my stuffs with my co-workers. My only remediation at this point is to stop using it for my personal stuff. I will also use this as an example of why we should look elsewhere for password management. If a company cannot respond either via their forums or by email when something like this crops up, perhaps they don’t deserve our business. It may be that LastPass is a better solution - I will look into that tomorrow.

UPDATE - 2014-04-30: I am happy to report that AgileBits did eventually get in touch with me. It seems they have been utterly swamped with support requests in the wake of Heartbleed. Anyway, after a number of back and forths whereby I explained my issue,a nd how I could reporduce it, they sent the issue off to their development team, who confirmed that there was a bug in v4.2.2 that they had seen cause this issue ina couple of rare cases. I am assured that the issue is fixed in v4.3, and indeed I have seen neither hide nor hair of the issue since upgrading the 4.3 and making sure I destroyed the shared vault, creating a new one form exported data. Today I updated to v4.4... I guess we will see what happens going forward, but I fees confident that the issue is resolved.