contents.js and 1password.keys

rhellyer

In my dropbox/1password.agilekeychain folder I found two recently updated files that were in clear text : contents.js and 1password.key



Contents.js appeared to contain all my account info but with the detail (eg. passwords, in encrypted form) and 1password.key appears to have keys of some sort.



My question is this. Is this normal behavior and is it secure? For example, were some to be able to access these files (eg. by getting into my dropbox account) would they be able to decrypt my passwords, or would they still be secured through my single password?



Many thanks

Richard

khad

In the words of the famous guide to hitchhiking, "Don't panic." <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



Everything you describe is perfectly normal.



The [font=courier new,courier,monospace][b]contents.js[/b][/font] file simply contains a "table of contents" of sorts for your data. All sensitive data is encrypted, only the metadata is available in clear text. Details of this can be found in our "[url="http://help.agilebits.com/1Password3/agile_keychain_design.html"]Agile Keychain Design[/url]" document as well as a more detailed explanation in our "[url="http://help.agilebits.com/1Password3/cloud_storage_security.html"]Security of storing 1Password data in the cloud[/url]" document. Please do read them both in full so we are on the same page.



As for the [font=courier new,courier,monospace][b]1password.keys[/b][/font] file, it is encrypted by your master password. Your master password does not directly encrypt/decrypt your data but is used to encrypt/decrypt that file which in turn is the true key.



When you enter your master password, 1Password attempts to decrypt the encryption key which is 1024 bytes of random data generated when the data file was created. If the master password is correct, then the key is provide. Otherwise, nothing is returned.



If you still have questions or concerns after reading the above documents, I'd be happy to provide further clarification.



Cheers,

rhellyer

Thanks for the quick clarification, and de-panification - I will keep my towel with me at all times



Richard

khad

Stay safe out there! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

dennish007

Khad,



The contents.js file contains a list of all your personal sites for which you have user account. For some users this could be sensitive information.

It's like a open list of bookmarks. Personally I do not care, but if the user's intend is NOT to share this list you might have a problem here.

Of course you need to hack the Dropbox account first to get to the data.

I would advise to encrypt ALL data. Technically you might get in trouble (things might slown down in performance). At least make it optionally.



Kind regards,

Dennis

khad

Welcome to the forums, Dennis!



The short version is that we have already done that in the new Cloud Keychain Format. Please take a look at [url="http://forum.agilebits.com/index.php?/topic/11452-but-is-it-secure/page__view__findpost__p__65719"]Jeff's post in another thread[/url] about this issue.

dennish007

Hello Khad,

Thanks for the info. Looking forward to the iCloud/iOS implementation!

khad

[quote]Looking forward to the iCloud/iOS implementation![/quote]

It is already available in [url="http://blog.agilebits.com/2012/12/13/new-1password-4-ios/"]1Password 4 for iOS[/url]. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



If you were referring to iCloud support in 1Password for Windows, so far Apple has not provided an iCloud SDK for Windows. iCloud support in 1Password for Windows is impossible unless that changes. I'm pretty sure they said it would be available eventually, so hopefully that comes to fruition.