Re: 1Password Leaks Your Data(makzan.net)

almost 5 years ago from Thomas Mak, Author of HTML5 Games Dev books

  • David BarkerDavid Barker, almost 5 years ago

    Your post is correct, but I do think it's an issue worth highlighting.

    I remember when I first learnt about the ability to view your 1Passworld vault even without the app installed. I wondered how they were able to do something so useful, so I looked into the files and saw that my usernames and websites were in plain text, which was pretty surprising. I don't think it's unfair to assume that all of your data is hidden behind your master password, not just the actual passwords. Even if you don't use any syncing options like Dropbox, they're still being stored on your local machine in plain text. Fair enough, someone isn't able to view your passwords, but they can see the "metadata" — enough to know what websites you have accounts for. Again, I would assume that most people would assume that none of this is visible without entering the master password.

    As to him using the Dropbox referral link, I'm torn. I'd have more of an issue with it if he was using a referral to buy 1Password after pointing out its flaws.

    3 points
    • Thomas Mak, almost 5 years ago

      Though I don't have that expectation, it's fair point that users have expectation that everything is hidden behind the master password.

      But I think this is a potential privacy issue rather than a security issue. And it happens only when your computer (or your Dropbox account) is exposed, which the theft can actually can much much more than the login history, and makes this leak too little to care, comparing to your important files, ssh keys, logged in email session in browser etc.

      1 point