This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

URL, Login Name encryption

Regarding the format of an encrypted *.1PASSWORD file on 1Password for Windows, why is it that URLs and Login Names don't get encrypted? Isn't this a bit of a security risk, if someone got hold of the keychain, they could snoop and at the minimum, see what URL/sites you have logins for and also the names, i.e. if you name it "Work Banking" then there's a potential privacy leak in this.



What are the devs thoughts?



I note that other password apps like Roboform and LastPass secure every piece of data.

Comments

  • DBrown
    DBrown
    edited April 2011
    This subject has been discussed often in the forums.



    The reason is that the URLs are used in matching your Login items to the web sites you're visiting in your browser, and the names are used in presenting your Logins when you use the "go and fill login" feature. If they were encrypted, 1Password would have to decrypt them every time you invoked the 1Password extension in your browser, which would have an unacceptable effect on performance.



    That said, we are looking into ways to add optional encryption of names and URLs, too, though I don't have any details about when such a feature might become available.



    (Personally, I have no problem with anyone knowing where I do my banking, which type of credit card I use, or the fact that I have a driver's license. Anyone could learn those things by following me around on a typical day's errands. I don't see the risk associated with that level of information being "leaked"...but that's just me. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />)
  • CurbedEnthusiasm
    edited April 2011
    Thanks for the reply, David. I understand the explanation you've listed there, but out of curiosity, I wonder how competitors do URL matching - I assume they decrypt on the fly, in which case, there's no noticeable performance hit I've ever noticed with Robo or LP.



    Look forward to further encryption options/implementations.



    To a certain extent, I see your point about information leaks, but for the paranoid (moi), I want to be assured no one can get even a sniff of what logins I use/have.
  • Beyond a certain point (and I'd argue that 1Password has already reached that point) security is largely a state of mind.



    I don't say that in a dismissive spirit, at all, but in recognition that my own feelings about the security of my data don't work for everyone, and all of us at Agile take the security of your 1Password data very seriously.



    Thanks again for sharing your opinion on this, CE!