1Password Preferences unsecure?

nosirrah

You may be able to convince me that this is not a security hole, but when I found it I didn't feel at all safe.



I launched 1P without logging in and was able to read and update Preferences information. Not the "Security" pane, but everything else including seeing where the keychain file was, and being able to rename/move it. So much for renaming and moving it for added security.



This may not be dangerous, but why allow this action at all?



P.S. I know a marauder might only get to this stage if I have been stupid; but a good security system should try to cover for stupidity too. In this case that coverage should be simple to implement.

MartyS

We allow some data file operations within the Preferences that would be allowed from the Finder. You can certainly move/rename the data file without running the 1Password application and in fact can double-click on a .agilekeychain file to have 1Password launched and ask if you want this to become your current data file. Without the corresponding Master Password no one will be able to access the encrypted contents.



The idea of moving and/or renaming your 1Password data file is "security by obscurity" at best. We go way beyond that with the encryption of the data file's contents so no matter how or where someone might gain access to your data file contents they can't get all the way inside to look up your closest information without that Master Password.