Comparison of the Agile and OS X Keychains

Since 1Password’s early days, it has used Mac OS X’s Keychain to store data. This served us and our users very well for a while because the Keychain was built into the OS and offered good security. But over the years, our customers told us that they want more flexibility, even stronger security, and better ways to secure more kinds of sensitive data with 1Password. We listened, and we researched, and after more than a year of work deep in our labs, the Agile Keychain file was born.

Feature Comparison

From a feature standpoint, the Agile Keychain allows us to answer the many requests of our users. Armed with the Agile Keychain, only 1Password can:

Technical Comparison

Here is a quick comparison of the Mac OS X keychain and Agile Keychain from a more technical and file-based perspective:

Mac OS X Keychain Agile Data File
File-Level Sync
not practical

robust, easy, instant
Performance
degrades as size increases

fast even at GB sizes
Auto-Lock
based on keychain use

based on computer use
Data Encryption
Triple DES (outmoded)

128-bit AES CBC w/ PBDKF2
Automatic Sync between Computers
MobileMe

Dropbox, ChronoSync, etc.
Automatic Sync with iOS Devices
Dropbox
Attachments

File-Level Syncing

File-level syncing is not practical with the Mac OS X keychain because everything is stored in a single file. Each modification causes the entire file to be recreated and then synced. This hurts performance and increases the chance of conflicts.

Performance

The Mac OS X keychain slows significantly as its size increases because it creates an entire copy of the file and then replaces the original.

Auto-Lock

The Mac OS X keychain’s auto-lock function is based on keychain usage. The amount of time between using the keychain is calculated to determine if the keychain is locked. User activity such as typing or mouse movement is irrelevant. This forces you to specify a much longer automatic lock time than you might like.

Data Encryption

The Mac OS X keychain uses Triple DES as its encryption algorithm which is quite secure, but it is growing older and has been superseded by newer encryption algorithms with longer key lengths. The US government has deprecated the use of Triple DES and has set AES as its new standard.

MobileMe Syncing

The Mac OS X keychain has direct support for syncing with MobileMe. The Agile Keychain does not have this level of integration with MobileMe, but it can be synced automatically through Dropbox or other services.

More Information

For a full analysis of our need to design the Agile Keychain, please refer to the article explaining the history of Mac OS X keychain integration in 1Password.

For details on how the Agile Keychain was designed and made secure, please see the Agile Keychain Design document.

For details on how to migrate your data from the Mac OS X keychain to the Agile Keychain, please see our guide on upgrading to the Agile Keychain.