How come anyone can see Title inside the .agilekeychain file?!

jeromenom

Hi there guys!
Couple of days ago occasionally I found out that anyone can open .agilekeychain in, for example, TextWrangler, then data folder > default folder and get the list of .1password files.

If anyone will open that .1password file, he will see the following:
..."title":"Movistar Online","encrypted"...

Which means that anyone easily can see what exactly I store. I dont like that idea at all. I dont want anyone to know what kind of access or folders I got in my 1Password, this information is completely private and must be secured and hidden. But in current case anybody can see and recreate the whole structure of my password architecture.

For sure nobody can see the password and other data, but Title is visible and this is very sensitive in many cases.
Imagine if I will store a password from Pentagon, but I dont want anyone to have a chance to know that I work for Pentagon. I know this can be funny, but still. Knowing title already can make a person unsecured in many cases.

jeromenom

Like, anyone who has access to my .agilekeychain file can easily recreate the structure of passwords and folders that I have, guys, are you serious? :)
Anyone can see that I have, for example:

Financial Sites (folder)

• Bank of US
• Bank in Switzerland USBC
• Bank of Hawai

Company XYZ

• Access to Management Jira System
• Access to Webmail

And so on... Once again, I dont want anybody to know password from which sites or systems I keep.

jeromenom

p.s. Facebook login to your Discussions does not work. Here is what it says: http://mcshot.justwork.biz/images/75d0c23e.png :)

Megan

Hi @jeromenom,

Please have a read through Khad's post here. It should explain the situation with the .agilekeychain file. It is important to note that we are beginning the process to use the new Cloud keychain format as our default keychain storage across all platforms.

Please let me know the version numbers of 1Password that you are using on all computers and devices. It may be possible to get you set up on the new keychain format already.

p.s. Facebook login to your Discussions does not work

I've passed this information along to our forum gurus - thanks for letting us know!

jeromenom

Thank you Megan for your reply, I have red the Khad's post, but, he is just saying that title is open and is not critical information for encryption. And what Im saying is that it is. That if anyone will see and could make the structure of my passwords and folders, then let say its pretty big part of work done. Imagine if we use Dropbox as a sync service and we share projects between several team members, so, all this people have access to that .agilekeychain file and can see all the titles of the projects and services (some of them are a secret ones) we are using.

Plus, since I moved from KeePass to 1Pass, I need to store my personal passwords as well in the same program for my convenience. And as we already know, I can not store one personal 1Pass file/vault in TheBox and another working Vault in Dropbox, so, all files are located within the Dropbox. In other words, all people who has access to Dropbox folder can recreate the structure even of my personal password Titles and Folders. Which is really very private information.

So, my version of 1Pass on my Mac is:
1Password 5
Version 5.0.2 (502007)
Agile Web Store

On iPhone6:
Version 5.1.2.

+++
Additional offtopic question:
On my iPhone i can not open any Vault but Master Vault. Is there any chance to switch between Vaults on the mobile before I unlock one?

jeromenom

And one more thing, since we are working on Dropbox, its critical for us to use Dropbox as a 1Pass Sync and Storage service. Because some of our team members working on PC and Im not sure they can or will be happy to use iCloud only for 1Pass file sync. :)

littlebobbytables

Hi @jeromenom‌

Okay, there's a fair amount in those posts to cover so I'll take a crack but if I miss something I do apologise and if you could point out what hasn't been answered yet.

If you have both work and personal vaults you can keep them separate. One of the big advantages with Dropbox is the ability to share folders between Dropbox accounts. Now maybe some part of how it's already set up in your situation would make this impossible, that I'm not sure of but there is a way to keep your .agilekeychain private and the work ones shared. Here is Dropbox's page on How do I share a file or folder with others? and our related page on Sharing a vault.

iCloud Sync wouldn't be an option if you have people using 1Password for Windows as only Yosemite and iOS 8 can use the CloudKit framework. CloudKit is a framework related to iCloud Drive but it's what does all the syncing. As a result iCloud Sync is limited to just 1Password 5 on Yosemite and iOS 8 and on top of that it must have been purchased via Apple's Mac App Store (MAS).

Now the .agilekeychain format is no spring chicken and if you read the link you read about what is meant to eventually replace .agilkeychain, the .opvault format. I believe once we get Android and Windows Mobile (I believe it is those two) working with the .opvault format we will be in a position to make it the default. If you only run 1Password 5 on Macs, iOS devices or Windows machines though you could keep your personal vault in the .opvault format. It isn't easily done but it is doable. If that's something you're interest in let us know.

Lastly, in regards to your iOS query. Sadly you have to unlock your main vault, it doesn't currently have the ability to switch between unlocked vaults.

Let me know if I missed any questions.

jeromenom

Hey littlebobbytables. Thanks for reply.

Unfortunately, master access to Dropbox folder has at least 3 company owners, so in any case they will have my personal agile file visible, without having access to it. So, whether I (or they) will put the file to any other Dropbox folder, each of us will have it visible in file structure anyway. And, sure they (or anyone else) can open it in Text Editor and see what I store there inside. And I dont like it at all.

Yes we have people using Mac and Windows and using 1Pass app.

I did not really got you about that .opvault format and how can I get it or how it can help me solving my problems. Sorry :)

So, overall, as I can understand:
1) Folders and Titles of passwords I store, will still be visible when someone open 1Pass file in Text Editor, right?
2) There is no way for me to store my private Vault separately from my working Vaults and still have them synced between my Mac and iPhone (for example in TheBox or iCloud).
3) There is no way to unlock my private Vault on iOS, without unlocking Master vault.

Well, that means nothing I have asked can be solved at the moment I guess :) Is that correct?

At least, hope this questions was useful for your app future development. And I will keep thinking what to do with that. Cuz Im not really happy with security / all my password Titles and Folders visibility.

littlebobbytables

Hi @jeromenom‌

Does you work use a business Dropbox account? If it does this information might be of interest to you.

Can I have two Dropbox accounts on the same computer or device?

It could allow you to run two Dropbox accounts in tandem but it only works if one is a business account. Why it might be of use is if I've understood their help page correctly it keeps your personal stuff separate which is what you seem to need.

Let us know if that a) applies to your situation and b) would be an acceptable solution if it does.

jeromenom

Yes we use Dropbox Business Account. I have red that manual, but unfortunately there is no such option to connect my personal Dropbox Account in my Dropbox Settings > Profile. And anyway it wont solve the issue with visible Titles / Folders inside .1password file.

**NB! ** By the way, today we figured out that in Windows version of 1Password, while you edit a record/item, where are one or several passwords inside — passwords are not encrypted, so, anyone who is staying behind your back can take a photo and thats it!
In Mac version this works fine.

littlebobbytables

Hi @jeromenom‌

The suggestion of connecting a personal Dropbox account with the business one wasn't so much that it would solve the issue of the .agilekeychain format but that you could have accessed your personal .agilekeychain without others being able to access it. As I understood it, this particular aspect in the design of the .agilekeychain was an issue because others could see your personal .agilekeychain as it was being stored on your shared business account?

As several versions of 1Password rely on the current file format of .agilekeychain it can't be easily remedied. That's where the .opvault format may be more what you're after.

Given it is still something we deemed as advanced use I'll pm you.

jeromenom

@littlebobbytables‌ yep, but as you can see from my post, I cant connect my personal Dropbox account to my business one either.

According to .opvault format, I did not really understood how can I change the format and will it solve my problem with information privacy?

Thank you for your patience :)

[Deleted User]

@jeromenom‌

According to .opvault format, I did not really understood how can I change the format and will it solve my problem with information privacy?

With the .opvault format, almost everything is encrypted. This documents explains the format in details:

1Password 4 Cloud Keychain design

The most important part is that with .opvault, titles and URLs are encrypted. So using .opvault would solve your privacy issue.

I changed to .opvault last year, I'm using Dropbox to sync Mac, iOS and Windows. However, I'm not sure how you would switch today. My method was to turn on iCloud sync on my Mac (iCloud has always used opvault) then copy the opvault file from iCloud to the Dropbox folder, turn off iCloud and turn on Dropbox. But with OS X Yosemite, the way iCloud works has changed. So that method might not work. And I don't think the method has ever worked with secondary vaults (I only use one vault).

thightower

@Xe997‌

Switching would be done through various Terminal commands. I also switched to .opvault last year through that process. All my vaults 10+ are .opvault format now. Its a little work but well worth it IMHO.

---

@jeromenom‌

Sometimes when the option does not show up in the Dropbox > profile page its when you are logged into a "basic" or "pro" account and not a true Dropbox for Business account. Another possibly is the admin of a Dropbox for Business account has restricted the access to that feature https://www.dropbox.com/help/4236

-- No need to follow up on that as the main issue is the .opvault migration. I just wanted to point it out for you.

In the new vault format pretty much everything it encrypted completely. No showing names etc. See the link @Xe997 posted above

jeromenom

Thank you guys. I guess I will just wait for 1Pass team to guide me on how to switch to .opvault format and that will be it. :)

And yes, I am using Dropbox Pro, so, I guess that is why I dont see that option.

littlebobbytables

@jeromenom‌ I've responded to your message.

jeromenom

Problem solved with your personal support help. Thank you!

Ben

Thanks for the update! If there is anything else we can do, please don't hesitate to contact us.