This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Data visibility
agilefan1587
Junior Member
in Lounge
I have a few questions concerning data visibility. I am wondering about what a bad guy could see even without the master password.
1) It is my understanding that password strength is no longer stored in the clear but is now encrypted. My keychain is a couple years old. Were the strengths automatically encrypted or do older keychains still have strength information stored in plain text? I am running v3.8.20 on my mac.
2) Is there any information, other than titles and URLs that are stored in plain text?
3) How do smart folders appear in the keychain and in iOS apps? Are the names of the smart folders, search criteria, or cards that matched the criteria visible? For example, if I create a smart folder titled "sites that use password abc", where abc is the actual password being searched for, will a bad guy be able to see that I use "abc" or what sites the search matched with?
Randy
1) It is my understanding that password strength is no longer stored in the clear but is now encrypted. My keychain is a couple years old. Were the strengths automatically encrypted or do older keychains still have strength information stored in plain text? I am running v3.8.20 on my mac.
2) Is there any information, other than titles and URLs that are stored in plain text?
3) How do smart folders appear in the keychain and in iOS apps? Are the names of the smart folders, search criteria, or cards that matched the criteria visible? For example, if I create a smart folder titled "sites that use password abc", where abc is the actual password being searched for, will a bad guy be able to see that I use "abc" or what sites the search matched with?
Randy
Flag
0
Comments
-
4) Same question as 3, but with tags and folders. Are either tag or folder names and membership visible without the master password?Flag 0
-
Good questions, Randy. It is great that you are thinking about these things. From the [url="https://agilebits.com/onepassword/mac/release_notes#v31205"]1Password 3.8.11 release notes[/url]:
[quote]Improved defence against data harvesters by not including the password strength indicator. This only applies to new and edited items; to update all your old items, the [b]Help > Troubleshooting > Rebuild Data File[/b] menu can be used.[/quote]
While your sensitive data is always strongly encrypted, metadata about the items is not. The easiest way to visualize this is to simply open the [b]View > Columns[/b] menu. Apart from password strength, the metadata represented there which is used to sort items is not currently encrypted:[list]
[*]Icon
[*]Title
[*]Location
[*]Type
[*]Modified Date
[*]Created Date
[*]Folder
[*]Tag
[/list]
So tags assigned to an item and the folder an item is located within are both available in the JSON. Smart Folders are each represented by a unique `.1password` item within the data file bundle, but neither the search criteria nor the items which meet the criteria are available in the JSON.
Though we like to be agile and not normally announce features before they are delivered, this is an aspect of our forthcoming format which we have publicly announced. The new format which encrypts such metadata is in very active development, but I can't give more details at this time.
I hope that helps. Please let me know if you any further questions or concerns.Flag 0