Less Than Impressed With 1Password

First, the good news: 1Password has released a new version of their product on iOS. The company outlines a whole pile of reasons for supposedly delaying security upgrades – some of which include the updates will slow the speed at which users can access their encrypted data – but fail to identify what I suspect is a key motive behind the upgrade. If you recall, I wrote a while ago about key failures in mobile password managers. 1Password was amongst those who had flawed security implementations.

To be clear: security, especially good security, is damn hard to engineer. 1Password didn’t have the gaping flaw that others did – i.e. storing passwords in plaintext!! – but it was flawed. In the security community this (ideally) is resolved when someone critiques your secured infrastructure. In today’s world you should also credit the security researcher(s) who identified the flaw.

Unfortunately, this isn’t what 1Password has done. As far as I can tell, there is no formal recognition from the company that they have had flaws in their mobile security model pointed out by a third-party. This is a shame, given that a key factor that builds genuine trust in security is transparency. It seems like 1Password is willing to address problems – they’re not dwelling in a security by obscurity paradigm, to be sure! – but not credit others with finding those problems in the first place.

Update: My very, very bad. I missed an earlier piece from 1Password, where they note the research. That is available here. It would have been ideal to see a reference to this in their update but, admittedly, credit had previously been given.