This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

contents.js and 1password.keys

In my dropbox/1password.agilekeychain folder I found two recently updated files that were in clear text : contents.js and 1password.key



Contents.js appeared to contain all my account info but with the detail (eg. passwords, in encrypted form) and 1password.key appears to have keys of some sort.



My question is this. Is this normal behavior and is it secure? For example, were some to be able to access these files (eg. by getting into my dropbox account) would they be able to decrypt my passwords, or would they still be secured through my single password?



Many thanks

Richard

Comments

  • khad
    khad Social Choreographer
    edited December 2012
    In the words of the famous guide to hitchhiking, "Don't panic." <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



    Everything you describe is perfectly normal.



    The [font=courier new,courier,monospace][b]contents.js[/b][/font] file simply contains a "table of contents" of sorts for your data. All sensitive data is encrypted, only the metadata is available in clear text. Details of this can be found in our "[url="http://help.agilebits.com/1Password3/agile_keychain_design.html"]Agile Keychain Design[/url]" document as well as a more detailed explanation in our "[url="http://help.agilebits.com/1Password3/cloud_storage_security.html"]Security of storing 1Password data in the cloud[/url]" document. Please do read them both in full so we are on the same page.



    As for the [font=courier new,courier,monospace][b]1password.keys[/b][/font] file, it is encrypted by your master password. Your master password does not directly encrypt/decrypt your data but is used to encrypt/decrypt that file which in turn is the true key.



    When you enter your master password, 1Password attempts to decrypt the encryption key which is 1024 bytes of random data generated when the data file was created. If the master password is correct, then the key is provide. Otherwise, nothing is returned.



    If you still have questions or concerns after reading the above documents, I'd be happy to provide further clarification.



    Cheers,
  • Thanks for the quick clarification, and de-panification - I will keep my towel with me at all times



    Richard
  • khad
    khad Social Choreographer
    Stay safe out there! <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />
  • dennish007
    edited December 2012
    Khad,



    The contents.js file contains a list of all your personal sites for which you have user account. For some users this could be sensitive information.

    It's like a open list of bookmarks. Personally I do not care, but if the user's intend is NOT to share this list you might have a problem here.

    Of course you need to hack the Dropbox account first to get to the data.

    I would advise to encrypt ALL data. Technically you might get in trouble (things might slown down in performance). At least make it optionally.



    Kind regards,

    Dennis
  • khad
    khad Social Choreographer
    Welcome to the forums, Dennis!



    The short version is that we have already done that in the new Cloud Keychain Format. Please take a look at [url="http://forum.agilebits.com/index.php?/topic/11452-but-is-it-secure/page__view__findpost__p__65719"]Jeff's post in another thread[/url] about this issue.
  • Hello Khad,

    Thanks for the info. Looking forward to the iCloud/iOS implementation!
  • khad
    khad Social Choreographer
    [quote]Looking forward to the iCloud/iOS implementation![/quote]

    It is already available in [url="http://blog.agilebits.com/2012/12/13/new-1password-4-ios/"]1Password 4 for iOS[/url]. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />



    If you were referring to iCloud support in 1Password for Windows, so far Apple has not provided an iCloud SDK for Windows. iCloud support in 1Password for Windows is impossible unless that changes. I'm pretty sure they said it would be available eventually, so hopefully that comes to fruition.