Is the 1Password 4 Notes Secure? I don't mean Secure Notes!
I was reading an old post from 2011 that the 1Password Notes isn't secure. I don't mean the Secure Notes but the notes field inside of logins. I've been typing things inside there.
https://discussions.agilebits.com/discussion/3975/feature-request-custom-templates/p2
Here's a comment from sjk:
Jim here wrote:
I'm content now with just putting all that stuff in a Notes field, and I can find it there just as easily, without all the fiddling with templates, field names, data types, etc.
But 1P's Notes field is in clear text, which could be an issue with certain data there. It's similar with clear text Secure Notes, as discussed in another topic a few months ago.
Comments
-
I stand to be corrected, but I think that that simply means that the field is display in clear text on the 1Password gui. I doubt, and severely hope, that they are not stored in the keychain unencrypted.
Basically, just be careful with who's looking over your shoulder when you have them open.0 -
Thanks, @RichardPayne. I'm sure that's true.
I've sent a note to @sjk, asking him to clarify his meaning.
Thanks for asking, @wkleem!
0 -
Hi @wkleem,
What @RichardPayne said and @DBrown confirmed about text in notes fields is correct. It is only displayed as "clear text" within the application, but is definitely stored encrypted in every format that 1Password is using. Sorry if that comment I made over 3 1/2 years ago seemed to imply otherwise; no worries! :)
For example, here's an item from the Demo vault with a notes field:
And here's what its data looks like stored in an Agile Keychain for that vault:
{ "uuid": "D9162D6F664744C1B7DDA78F7832ADC5", "updatedAt": 1352324437, "locationKey": "brokenarrowwear.com", "securityLevel": "SL5", "contentsHash": "3f11c9", "title": "BrokenArrowWear", "location": "http://www.brokenarrowwear.com", "encrypted": "U2FsdGVkX1+ZXAax2Q/nJU2TxaK0RHZZuHRHqEoBsSmMgg20z7kDwe2mgpeIhnnHJEeGkRZWp9lBVlr6az+x6hrvJYvYiuRoEZvAitXAUDMPJsViP1oANS1ohnIEGonvOSjFtLG0T/xF2MlsQ8NRg8pE/0rRorhjIDLBjvNXSnXFYtwo/uuf+fg7FxLGd3qq1UxnlcuwPbPETdYh5nMsp1VQOUTVY2z9MxLOi8VxBLalwOXMFVaXMqJx03Tw9pN+bggcDtypn3+B8gyZY5kyDjKHgj7dkEXF7EEN5LLok5CxOq/k0tw61FI9pGZAwrjqUevzaKr+szxMdTeWL/Ric1xUKr4cQnuXhZ90r94BXi6kR0SkKX5JPzXck78aduu0O71/Tor6z68mqXIMIyb1ZLiOqji701u0is90XpIt4qNCq8ATnLnA2hxk3mf4Yqce/KjId4TltYfjh0Pwm9nwJg==", "createdAt": 1344901872, "typeName": "webforms.WebForm" }0 -
LOL, and I have been putting a copy of the password in notes field sometimes and forget to go back and remove it when I am done getting a site to work. I put the password there when you are stopped from copying and pasting the password when updating and they make you type the darn thing 2 times. It is easier to see than unlocking every few places.
So,I don't have to go back right away and start deleting stuff out of there right? I would have been surprised that any part of the data inside 1PW - no matter what the field - is not secured under that humongous pass phrase key :) If anything is NOT secure, PLEASE make it known so people are aware.
Peter
0 -
In the agilekeychain format, item titles are not encrypted. Don't put secret info in the title.
The new opvault format does not leave any data unencrypted I believe.
0 -
As you can see in @sjk's example above, Peter, URLs, too, are unencrypted in the .agilekeychain format. As with titles, the purpose is to improve performance by reducing the time needed to do matching with the current web site in your browsers and by displaying matching Login items more quickly.
0 -
Hi Peter,
If anything is NOT secure, PLEASE make it known so people are aware.
We do our best to make it known. :)
From the Security Overview page:
We are proud to make our data design details public and open to expert scrutiny
@RichardPayne's belief is mostly accurate:
The new opvault format does not leave any data unencrypted I believe.
Certain metadata is unencrypted, as explained under the Encrypting everything section of the 1Password 4 Cloud Keychain design document.
There are some additional references on the Security in 1Password 4 page.
I hope that helps!
0
