contents.js: Very disappointing
Had I noticed this file and its contents before purchasing, I can tell you right now that I would not have purchased 1Password.
I've read the other threads and documentation that talk about how only the title and URL are visible, but the title and URL can contain important private information!
As an example, there are many sites where I have multiple logins. This requires that I keep the username as part of the title, otherwise there's no way to tell them apart without opening up each entry in turn to find the right one. So, right there, my usernames become unencrypted data. Just the fact that I have an account on some sites is private information which is a distinct disclosure risk. (e.g. visiting a country that has "moral" laws and could jail you based on the contents of your computer)
I understand wanting an index file. I understand the purpose for having it. I absolutely do not understand or condone not encrypting the index file. You can still have an index file and just encrypt the index file. Does that mean one entry needs to be decrypted? Sure. Does it make the entire application's information store more secure? Most definitely.
Frankly, I'm disgusted by this, and it may force me to look for another application. I can't believe that any security conscious developer went along with this idea.
I say all of this as both a developer and data security aficionado for the last 20 years.
Comments
-
I can't really comment on the format of the data from an expert viewpoint, but the issue you have raised has been discussed on these forums more than once. Unfortunately, the forum search seems to be broken at the moment, so I can't link to such a thread.
I can say that I have read some discussion about this format from the developers, and I know they are working on a new data format that does encrypt everything. They haven't switched over because they need to be sure first that the newer format works on all the various platforms they support. They have not announced a timeline for the switch over. Also, if you sync your data to iCloud, the new format is already in place. If that's an option for you, you can eliminate the issue. But that means OS X and iOS only, since Apple hasn't let other platforms access iCloud.
Also, if you need to rely on 1PasswordAnywhere, you can only use it if you use Dropbox, where the format you object to is still in use.
If you made your purchase from the AgileBits web store, and you are sufficiently unhappy, remember that they offer a 30-day money back guarantee. If you purchased directly from Apple, you'd need to request a refund from Apple.
0 -
@signe you may be interested in this very detailed post from JasperP, which explains things in great detail.
Stephen
0 -
You can use the new data format which encrypts title and URL if you are using 1Password for Mac, Windows or/and iOS. It doesn't work on Android yet.
I made the switch to the new data format and haven't seen any issues with it (syncing Mac and Windows computers with Dropbox). Depending on what platform you have, the method of switching format is different.
0 -
Thank you for the upgrade information.
0 -
Hi @signe,
I'm glad that @hawkmoth, @Stephen_C, and @Xe997 were able to help. :)
If you were interested in some more details about the rollout of the new format (including where it is already used today), please see:
Rolling out the 1Password 4 keychain
If you have any other questions or concerns, please let us know. We would be happy to assist you further!
0