The AgileBits website is full of misinformation like this, assurances that no matter what happens passwords stored in 1Password are safe but in this case that is not true!
In conclusion, permanently storing the 1Password master password is a bad practice and I hope my highlighting of the issue will prompt a rethink. At the very least AgileBits need to inform their customers of the security implications of enabling automatic Dropbox syncing.
I think your looking at this the wrong way. Digital information is vulnerable no matter where it's stored. It's impossible to say an iOS device is safer than a sync service because only chance is stopping ones data from falling into the wrong hands. In other words, you can't trust anyone.
To paraphrase, people don't want to type a strong master password on iOS devices because it's inconvenient, so allow them to use a weak master password because some security is better than no security. The danger with this approach is that people are lulled into thinking that using weak passwords is acceptable, which in turn encourages them to use weak passwords for everything. As you pointed out this is what happened with the 4-digit unlock code.
Whilst I still believe (and I practice what I preach) that the right approach is to use a single strong master password across all platforms,
here is a potential solution: [...]
You should also consider educating users how to create a strong master password that is also easy to type within the 1Password application. iPad apps have become really good at this, take them though the process step by step with cute graphics and animation.
Good security is inconvenient but can be made easy to use, 1Password for example " />
Thanks, just trying to help improve my favourite password manager!
One thing that has made me worry a bit more about this is the behavior of iTunes. Once a device has been connected to iTunes and unlocked once on a computer the device can be unlocked without a passcode by any other users (including a Guest user) on the same machine. Allowing this way around a passcode means that we do have to exercise greater caution about what gets put in the iOS keychain. I really hope Apple will change this, but we have to look at the threats as they are, not as as we wish they were.
All valid points, jhollington, but to me, again, this is about choice.
We're yet to hear anything definitive from Agilebits about the problem with the phone's master password being stored when you didn't ask it to be.
[font=helvetica, arial, sans-serif]Personally, with an immediate-lock passcode on my iPhone and remote wipe enabled both via iCloud and Exchange ActiveSync, I consider my iPhone to be the most secure device that I keep my 1Password data on[/font]