This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
No Master Password Needed
I am using 1Password on a Droid II with Dropbox. Sometimes, not every time when I start 1Password it vibrates the phone and asks for the password. If touch the text box to enter a password then I use the back up button twice 1Password opens up and exposes all the passwords without entering the master password. I have tried to diagnose it but it seems to happen randomly.
Thanks, Randy
Thanks, Randy
Flag
0
Comments
-
Hi Randy,
Thank you for the feedback.
I spent at least couple of hours today and wasn't able to reproduce the issue on my Nexus One phone.
None of the customers reported it so far either.
Notice that 1Password for Android doesn't store your Master password anywhere on the phone, not even in the most hidden preferences, not even in encrypted format.
On the other hand, in order to decrypt your secure data, Master Password is absolutely required, there is no way to see your secure data without entering your password.
It is simply not possible.
On the other hand, if your application is put into the background by clicking Back or Home button, it stays alive in the background with loaded data until it is killed by the phone's operation system.
However, if you bring the application to the front, it asks you for your PIN number of Master Password (depending on how you configured your application's preferences).
I would love to have more information from you with detailed steps on how to reproduce the issue you've reported, however, I can say with all certainty that there is absolutely no way to decrypt and see your
data without a Master Password.
Best regards,
Gene
Android developer
[quote name='rkp' timestamp='1304054510' post='25854']
I am using 1Password on a Droid II with Dropbox. Sometimes, not every time when I start 1Password it vibrates the phone and asks for the password. If touch the text box to enter a password then I use the back up button twice 1Password opens up and exposes all the passwords without entering the master password. I have tried to diagnose it but it seems to happen randomly.
Thanks, Randy
[/quote]Flag 0 -
I was also able to see all my logins and passwords without ever entering the master password on Android. I have done this 3 times with the same result. It is a different sequence of actions to the OP. Here's what to do...
1. create a new 1password database on the mac with master password abc123 for example
2. copy it to the android phone and open the database using the 1password app with master password abc123
3. go back to the mac and add a load of logins to the database (using import for example) and change the master password to something different
4. copy the updated database to the phone again
5. open the 1password app on the phone again and all the newly added logins can immediately be seen on the phone without entering the new master password
How is this possible if all the logins are encrypted with the master password? Something strange is going on.Flag 0 -
Hi ol2,
There is nothing strange in it.
Close 1Password on your phone and relaunch it: you will be asked for the new password, password abc123 won't work.
Once the new password is entered, you will be able to see all the data, encrypted with old or new password.
Change master password again, create new entries , do it many times then copy the new keychain to the phone's SD card.
Close the application, relaunch it, enter the last Master Password and you will see data created with all passwords.
Your replaced the datafile while 1Password was running (even if in the background), therefore, an encrypted key was stored in program memory
and was used to decrypt the new login entries.
Notice that all entries on the phone are encrypted with the same encryption key which doesn't change no matter how many times you change the Master Password.
(Of course, the key is different for every keychain). The key itself is encrypted with the master password which, of course,may change.
When you enter your Master Password the application is trying to decrypt the encryption key with it: if it is successful, the key is kept in memory until application
is running and then erased with all other application data (as happens with any other application). Master Password change doesn't affect any encrypted entries.
Open 1Password data file (1Password.agilekeycain) on your computer: you will see many files with an extension .1Password : these are your secure entries (logins, etc).
Next change your master password: you may notice that all these entries stay the same, only encryptionKeys.js file is changed: that is the file with encyption key encrypted
by Master Password.
Please let me know if you need more info
Best regards,
Gene
Android developer
[quote name='ol2' timestamp='1304995910' post='26688']
I was also able to see all my logins and passwords without ever entering the master password on Android. I have done this 3 times with the same result. It is a different sequence of actions to the OP. Here's what to do...
1. create a new 1password database on the mac with master password abc123 for example
2. copy it to the android phone and open the database using the 1password app with master password abc123
3. go back to the mac and add a load of logins to the database (using import for example) and change the master password to something different
4. copy the updated database to the phone again
5. open the 1password app on the phone again and all the newly added logins can immediately be seen on the phone without entering the new master password
How is this possible if all the logins are encrypted with the master password? Something strange is going on.
[/quote]Flag 0
