Concern about data security

Options
Zete
Zete
Community Member
in Mac

I've been using 1Password 4 for Mac for nearly a month now and I like its features. (I purchased a couple of copies years ago, but did not use them. The product's much improved!)

When I first loaded it and asked about the security features when I sync-ed with another Mac I was told that the kind of sync I use would affect the security issue. I felt OK with that, but didn't pursue it.

Now I'm about 30 days into my trial and was about to purchase it for my Macs and iPhone, but I revisited the issue and it's still seems to be a problem.

I use BBEdit for website maintenance and I opened the .1password file in BBEdit. BBEdit created a data "folder" with a "default" folder under it. When I click on any of the items in that "default" folder I can see the website associated with the information in 1Password for that record. I was hoping that nothing in the 1password database would be visible, that each entire record would not show any information. I work in an environment where even a website address must be hidden.

So, before I can decide if this program works in my environment, I need to be sure that no one using a computer can see what websites are listed in my 1Password data.

I've attached two screen captures. In both the "title" of the website is circled and clearly displayed.

Is there any way to hide these data?

Comments

  • Jasper
    Jasper
    Options

    Hi @Zete,

    Our old Agile Keychain format does store some metadata in the clear. Here is the list of the unencrypted items:

    • Icon
    • Title
    • Location
    • Type
    • Modified Date
    • Created Date
    • Folder
    • Tag

    Password strength used to be included in that list as well, but that was changed way back in November 2011.

    This is outlined in a few different places in the User Guide. From the Agile Keychain Design document:

    The Agile Keychain is nearly identical to the Mac OS X keychain in terms of what is kept encrypted and what is left open in plain text. The distinction is an important trade-off between security and convenience. The more that is encrypted, the less a would-be thief can access, but it is also necessary to leave enough open to allow applications to freely access certain items without needing to decrypt every single entry each time. The Mac OS X keychain nicely balances security and convenience, so the Agile Keychain follows suit.

    >

    Here is an example entry from the Agile Keychain:

    @{
 "title" : "dave @ AWS login",
 "locationKey" : "perfora.net",
 "encrypted" : "...",
 "typeName" : "webforms.WebForm",
 "securityLevel" : "SL5",
 "openContents" : {
   "createdAt" : 1216012929,
   "updatedAt" : 1216012929,
   "usernameHash" : "...",
 },
 "location" : "https://webmailcluster.perfora.net:443/xml/webmail/Login",
 "uuid" : "0A522DFCAE6442D991145BC76E55D343",
 "folderUuid" : "A90D66D1A4E34481BDF03DDEA9F511AC"
}

    As you can see, not all the information is encrypted. Most notably, the name/title of each entry (i.e. dave @ AWS login) and the location/URL are open. Having these open allows 1Password to organize your data and display it without suffering the performance hit of needing to decrypt every single item. All the truly confidential information is stored in the encrypted section of the file.

    The original form of the Agile Keychain left its assessment of password strength among the unencrypted data. This was removed in 2011.

    The above file format is based on JSON (JavaScript Object Notation). It is a lightweight notation for structuring data without the overhead associated with formats like XML. As a side benefit, these JSON files can be loaded directly into a web browser. The name of the file is based on the UUID (Universally Unique Identifier) of the item. This guarantees the filename is unique and will stay the same even when items are renamed.

    The new 1Password 4 data format encrypts all data. In version 4, your data is stored locally in a SQLite database (OnePassword.sqlite), and all data is encrypted (even the metadata).

    For syncing, the new Cloud Keychain/opvault format also encrypts all data. The Cloud Keychain is currently used for iCloud syncing.

    Dropbox and Folder syncing still use our old Agile Keychain format at the moment, but as we move forward the Cloud Keychain/opvault format will be used in more places. Once all our apps support the new format, we'll phase out the older format and use the new format everywhere for all sync methods.

    You can read about the new data format here:

    1Password 4 Cloud Keychain design

    Please let us know if you have any other questions. We're always happy to help!

This discussion has been closed.