Two security questions (unencrypted metadata in keychain and master password issue)

macgabe
macgabe
Community Member
edited July 2014 in Mac

Two gripes!

  1. Still a lot of easily readable info the 1Password file. You can see what services you use and how strong the password is. The thumbs should be encrypted and so should the titles and all other text and URLs. I saw someone I know had somehow accidentally stored the 1P master password as a header for a 1P website entry (for an unrelated site). With all the duplicates created by the prompt to "save password", and the need to login to 1P to do so, I expect this happens quite a lot.

  2. Just realised 1P just gave my master password for 1P to this site automatically! which is why I couldn't log in, because it confused my 1P entry and my Agile discussion forum password - which both contain the URL to this site. Is this even https? Regardless I'm now changing the password - which is annoying.

Comments

  • Jasper
    edited May 2014

    Hi @macgabe,

    Still a lot of easily readable info the 1Password file. You can see what services you use and how strong the password is. The thumbs should be encrypted and so should the titles and all other text and URLs.

    Our old Agile Keychain format does store some metadata in the clear. Here is the list of the unencrypted items:

    • Icon
    • Title
    • Location
    • Type
    • Modified Date
    • Created Date
    • Folder
    • Tag

    Password strength used to be included in that list as well, but that was changed way back in November 2011.

    This is outlined in a few different places in the User Guide. From the Agile Keychain Design document:

    The Agile Keychain is nearly identical to the Mac OS X keychain in terms of what is kept encrypted and what is left open in plain text. The distinction is an important trade-off between security and convenience. The more that is encrypted, the less a would-be thief can access, but it is also necessary to leave enough open to allow applications to freely access certain items without needing to decrypt every single entry each time. The Mac OS X keychain nicely balances security and convenience, so the Agile Keychain follows suit.

    >

    Here is an example entry from the Agile Keychain:

    @{
     "title" : "dave @ AWS login",
     "locationKey" : "perfora.net",
     "encrypted" : "...",
     "typeName" : "webforms.WebForm",
     "securityLevel" : "SL5",
     "openContents" : {
       "createdAt" : 1216012929,
       "updatedAt" : 1216012929,
       "usernameHash" : "...",
     },
     "location" : "https://webmailcluster.perfora.net:443/xml/webmail/Login",
     "uuid" : "0A522DFCAE6442D991145BC76E55D343",
     "folderUuid" : "A90D66D1A4E34481BDF03DDEA9F511AC"
    }

    As you can see, not all the information is encrypted. Most notably, the name/title of each entry (i.e. dave @ AWS login) and the location/URL are open. Having these open allows 1Password to organize your data and display it without suffering the performance hit of needing to decrypt every single item. All the truly confidential information is stored in the encrypted section of the file.

    The original form of the Agile Keychain left its assessment of password strength among the unencrypted data. This was removed in 2011.

    The above file format is based on JSON (JavaScript Object Notation). It is a lightweight notation for structuring data without the overhead associated with formats like XML. As a side benefit, these JSON files can be loaded directly into a web browser. The name of the file is based on the UUID (Universally Unique Identifier) of the item. This guarantees the filename is unique and will stay the same even when items are renamed.

    The new 1Password 4 data format encrypts all data. In version 4, your data is stored locally in a SQLite database (OnePassword.sqlite), and all data is encrypted (even the metadata).

    For syncing, the new Cloud Keychain/opvault format also encrypts all data. The Cloud Keychain is currently used for iCloud syncing.

    Dropbox and Folder syncing still use our old Agile Keychain format at the moment (in order to remain compatible with the rest of the platforms still using older version of 1Password). As we move forward, the Cloud Keychain format will be used in more places. Once we release 1Password 4 for the other platforms (Android and Windows), we'll phase out the older format and use the new format everywhere for all sync methods.

    You can read about the new data format here:

    1Password 4 Cloud Keychain design

    Just realised 1P just gave my master password for 1P to this site automatically!

    1Password does not store or log your master password anywhere, so it's not possible for it to automatically fill it somewhere.

    Do you have a login item for agilebits.com that stores your master password? If so, I would recommend deleting it.

    And if you entered your master password into this website (or any website), I would recommend changing it (like you already mentioned you'll be doing).

    Please let us know if you have any other questions. We're always here to help! :)

This discussion has been closed.