AgileKeychain: Title and Location fields are not encrypted

AGAlumB
AGAlumB
1Password Alumni
This discussion was created from comments split from: I keep receiving a notification "Contents.js updated".

Comments

  • Bjorn_Nilsson_ANAB
    Bjorn_Nilsson_ANAB
    Community Member

    The file, Contents.js spells out what information I store in my keychain in plain text. Even though the passwords seem encrypted this doesn't feel very secure.
    It is a JavaScript-file stored online which can be picked up anyone every time my Dropbox account is updated over WiFi and whatever I have a login to, can be read by any Tom, Dick and Harry.
    A lot can be read out from the logins alone. I work with a lot of different customers and store lots of logins - some that must not be stored online. If one of my customers with that level of security would accidentally see that I was storing my login in plain sight I would loose that contract and probably be sued.
    This is a major flaw and unless you correct it I can't keep using your software.
    You need to correct this immediately.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @Bjorn_Nilsson_ANAB: I hope you don't mind, but I've split you off into a separate discussion since your post isn't related to the original poster's question.

    The file, Contents.js spells out what information I store in my keychain in plain text. Even though the passwords seem encrypted this doesn't feel very secure.

    You're absolutely right. Location and Title fields are not encrypted in contents.js. But we're less concerned about what feels secure ("security theater") than actual security.

    It is a JavaScript-file stored online which can be picked up anyone every time my Dropbox account is updated over WiFi and whatever I have a login to, can be read by any Tom, Dick and Harry.

    This just isn't true. I don't think it's even possible to access Dropbox over anything but an HTTPS connection these days. But regardless it's best to use a secure VPN if you're going to use public Wi-Fi. The only way Tom, Dick, and/or Harry can read your traffic on the fly (or capture it to peruse later) is if you're connecting to a website insecurely and transmitting sensitive data.

    This is a major flaw and unless you correct it I can't keep using your software.

    You need to correct this immediately.

    This isn't a flaw. It's by design. Everything but the Title and Location fields is encrypted. This allows for fast indexing and searching even on slower devices. A URL is not unique to you, and of course it wouldn't be helpful to put sensitive information in the title of an item, because this would also be immediately visible to anyone looking over your shoulder — just like they could watch you go to a website, even if they can't see your login credentials.

    Now, because technology has advanced since AgileKeychain was developed and things are a bit faster now (many devices support hardware acceleration for AES256), we later developed the OPVault format, which you can use if you like. We haven't rolled it out across all platforms yet, so it isn't used by default.

    But also be sure to check out our knowledgebase to learn more about the security of 1Password. It's your data, after all! :)

This discussion has been closed.