[Vault] 1Password is storing the URL / ItemNames in your Vault in an outside file in clear text

[Deleted User]
[Deleted User]
Community Member

Hey there!

I've been a 1Password User for a fairly long time, but now i'm concerned about one particular issue:

Why, for the love of god, is 1Password storing the URL's / ItemNames that are currently stored in your Vault outside in a
cleartext javascript file that is also called contents.js?

I like AgileBits as a company a lot, especially their way of communicating security!
But why that security breach?

To make things clear: by no means i intend to say Wow, 1Password is bad software. But i want to understand the thought process behind it.

Best wishes,

Flowinho

Comments

  • [Deleted User]
    [Deleted User]
    Community Member

    i created an example vault to further showcase the problem.

  • Hi @Flowinho,

    This is part of the design of the AgileKeychain Format. At the time it was necessary to have these certain fields decrypted. This is covered in this AgileKeychain Design document.

    Soon we will be moving to our newer OPVault format which does not reveal this information.

  • [Deleted User]
    [Deleted User]
    Community Member

    Someone from AgileBits will definitely give you a detailed answer, but until then here's my thoughts (I'm just a forum user like you):

    What you see is expected. 1Password uses a format called agilekeychain when using Dropbox or folder sync. If you use iCloud sync, you get the newer opvault format. Agilekeychain does not encrypt URLs and item names. Opvault does encrypt URLs and items names. Here are the technical details:

    https://learn2.agilebits.com/1Password4/Security/keychain-design.html

    Of course, AgileBits wants opvault to become the default format. Unfortunately the rollout of opvault has moved at a glacial speed. There are some existing discussions on the forum including replies from AgileBits. Some examples:

    https://discussions.agilebits.com/discussion/28042/opvault-or-agile-keychain
    https://discussions.agilebits.com/discussion/24669/opvault-status-almost-ready-in-apps-but-not-officially-adopted-yet-as-the-default-sync-format
    https://discussions.agilebits.com/discussion/31009/better-keychain-format-options-needed-feature-requests

    It is possible to switch to opvault even if you use Dropbox and folder sync. I have myself used opvault for almost a year without issues, but my setup is pretty simple: 2 Macs, 1 vault, no attachments.

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @Flowinho,

    As chrisdji has stated there are historical reasons for this, ones that wouldn't apply if creating from scratch now. I can't disagree with what Xe997 said either, I know we've been intending to adopt the .opvault for a while now and from the users perspective it will probably seem like we haven't made any progress.

    If you're interested in manually moving over to the .opvault format for your syncing needs let us know and we can help you there, once we've made sure it won't mess anything up that is.

  • saphirblanc
    saphirblanc
    Community Member

    Hello,

    Is there a way to migrate ourselves to this format ?

    Thank you,

  • Stephen_C
    Stephen_C
    Community Member

    The current 1P for Mac 5.4 beta allows you to change to opvault format if you sync by Dropbox or if you use folder sync (so the ability should be coming in the next release if beta testing goes well). There is a command line way of changing your vault format which has been referred to on this forum but I'd be a little wary unless and until AgileBits confirms it's happy there's no risk of data loss or corruption—because I suspect much depends on whether or not you sync your 1P data and, if so, how you do it and with what other platform(s) you sync. (There are still some incompatibilities of vault format between platforms, as I understand it.)

    Stephen

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    We're now down to Android as the .opvault holdout :wink: I kid, somebody had to the final piece to the puzzle. I believe we've got many of the kinks ironed out so if you'd like to try .opvault @saphirblanc then our beta would be the easiest way to do so. The option is in Help > Tools > Enable OPVault for Dropbox and Folder sync. If you are currently syncing using the .agilekeychain you will have to disable syncing and re-enable to have 1Password switch over. While enabling OPVault will mean any vault creations going forward use the newer format it doesn't automatically convert existing sync data.

    If you have any questions please do ask away.

  • saphirblanc
    saphirblanc
    Community Member

    Hi,

    Thank you for your answer. I'll give it a try and let you know.

    Best,

    Yann

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    :smile:

  • saphirblanc
    saphirblanc
    Community Member

    Hi @littlebobbytables

    I've disable the syncing of my vaults, but the option to enable OPVault is still not showing up in the tools view.
    I do have the latest beta available : 5.4 Beta 2.

    What should I do.

    Thank you,

  • Stephen_C
    Stephen_C
    Community Member

    do have the latest beta available : 5.4 Beta 2.

    The latest beta is 5.4.BETA-9—and that is the beta that introduced the feature you want.

    Stephen

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @saphirblanc,

    It sounds like updating has stopped for some reason or another. The latest beta is actually 5.4.BETA-9 and OPM-3029 in this latest beta release. If updating doesn't want to play ball I'd recommend the following:

    1. Quit both 1Password and 1Password mini. You can do this with the keyboard shortcut ⌃⌘Q when 1Password is open (it doesn't have to be unlocked).
    2. Drag the 1Password application from your /Applications/ folder to the Trash. Please don't use an app cleaner.
    3. Reboot your Mac.
    4. Download a fresh copy of the 1Password beta from our AgileBits Download page, just click on the Enable betas link next to the ladybird first.

    You won't risk your data at all as long as you don't use any app cleaner. I do this all the time and I wouldn't recommend anything that would risk your vault either. With the newest beta you should see the option :smile:

  • saphirblanc
    saphirblanc
    Community Member

    Oh thank you for the information !

  • Drew_AG
    Drew_AG
    1Password Alumni

    @saphirblanc, on behalf of littlebobbytables, you're quite welcome! :) Let us know how it goes, and if you have any trouble with that, we'll continue from there. Thanks!

This discussion has been closed.