Unencrypted info in 1Password.agilekeychain

Ryan Tate

Hi, I was poking around in ~/Library/Application Support/1Password and noticed a folder called "Fill." In this folder is a list of .plist files corresponding to various domain names (e.g. amazon.com.plist). These files appear to correspond to some of the sites I have used 1Password to log into. I had been under the impression that the specific websites where I have 1Password logins was considered private data, i.e. data that is kept locked up confidential by the 1Password app. Is this not the case?



Perhaps I misunderstanding what these plist files are and where they come from. Thanks for any info.

khad

Thanks for asking about this, Ryan! I have merged your post with the thread which deals with the topic more generally, but [url="http://forum.agile.ws/index.php?/topic/1958-all-information-is-not-encrypted/page__view__findpost__p__29871"]Chad's post from a few days ago answer's your question directly[/url]. I hope that helps. Please let me know.



P.S. I am also drafting a reply to the other (longer) post you just made. I hope to have it done sometime soon, but it may take a day or so if I can't reach the developers immediately.

cyclops009

I started using the dropbox sync on my 1Password iPhone. I must say that's the best part of this software.



Said so, once i uninstalled the mac application of 1Password,[size="5"] i am able to access the folders directly[/size].. i can open it.. and i can read data in it. Atleast some data.. which is crazy.. aren't these encrypted? Now anyone who has access to my laptop will have access to my details..



[b]Also dropbox officials will have direct access.. I am getting crazy right now and seriously concerned.[/b] <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/angry.gif' class='bbc_emoticon' alt=':angry:' />



See screenshots below:



[img]http://f.cl.ly/items/1t2P2J1j3F3U3H2e1p2p/Untitled.png[/img]

percheron

Wow! This is extremely disappointing. I expected that ALL data is encrypted. Half the battle (if not more) is knowing the location and username. The default behaviour of 1Password is to add the username to the title of the item.



Is this not a significant problem?





[quote name='cyclops009' timestamp='1310218650' post='31583']

I started using the dropbox sync on my 1Password iPhone. I must say that's the best part of this software.



Said so, once i uninstalled the mac application of 1Password,[size="5"] i am able to access the folders directly[/size].. i can open it.. and i can read data in it. Atleast some data.. which is crazy.. aren't these encrypted? Now anyone who has access to my laptop will have access to my details..



[b]Also dropbox officials will have direct access.. I am getting crazy right now and seriously concerned.[/b] <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/angry.gif' class='bbc_emoticon' alt=':angry:' />



[/quote]

thightower

Guys there have been many discussion over the past about not everything is encrypted to speed the load time of 1P etc. a forum search should yield you some topics.



However you will be pleased to note that 1P is in the build/testing process for a new completely encrypted keychain (optional). I don't have any time frames and or details to share but the team has been listening to yours and others like yourselves feedback for sometime. Its not quite there yet but it is on the way.

thightower

[quote name='percheron' timestamp='1310222296' post='31585']

Wow! This is extremely disappointing. I expected that ALL data is encrypted. Half the battle (if not more) is knowing the location and username. The default behaviour of 1Password is to add the username to the title of the item.



Is this not a significant problem?







[/quote]



You can change this behavior, I never save my use name in the login details. Please see the attached screen shot.



[attachment=832:Screen Shot 2011-07-09 at 11.17.02 AM.png]



A long time ago I edited all my entries to exclude these details and so forth.



Now to separate mine and the wife's for example we just use things like Chase - th, Chase - bh etc

cyclops009

[quote name='thightower' timestamp='1310224558' post='31589']

Guys there have been many discussion over the past about not everything is encrypted to speed the load time of 1P etc. a forum search should yield you some topics.



However you will be pleased to note that 1P is in the build/testing process for a new completely encrypted keychain (optional). I don't have any time frames and or details to share but the team has been listening to yours and others like yourselves feedback for sometime. Its not quite there yet but it is on the way.

[/quote]





Bit confused. Does that mean the problem don't have a solution and it stay as it is?

percheron

You have to consider the user expectations. If users generally expect that ALL data is encrypted / "safe", the use of the "add to title" feature is not understood as a potential security threat. There ought to be a very clear summary by Agile Bits of what is encrypted and what is not. That is the only way for the company to expect the user to know and appreciate the consequences of their configuration decisions.



I could just as easily keep an encrypted txt file on my dropbox with all of my sensitive information. However, I choose to use 1Password based on the assurances that ( a ) the information I put in the program is "safe" through encryption and ( b ) it makes creating, saving, and using my information easy. The fundamental value of 1Password is security. If the user has to parse through forum threads and documentation to understand the intricacies of what is and is not encrypted, Agile Bits has failed its users.



[quote name='thightower' timestamp='1310224703' post='31590']

You can change this behavior, I never save my use name in the login details. Please see the attached screen shot.



[attachment=832:Screen Shot 2011-07-09 at 11.17.02 AM.png]



A long time ago I edited all my entries to exclude these details and so forth.



Now to separate mine and the wife's for example we just use things like Chase - th, Chase - bh etc

[/quote]

[Deleted User]

cyclops009 & percheron,



Per the PM I sent to you both earlier, I've merged the original topic into the appropriate thread.



As the discussion regards some of your data remaining unencrypted, I thought you would find the following article interesting: [url="http://help.agile.ws/1Password3/agile_keychain_design.html#individual_entry_contents"]Agile Keychain Design > Individual Entry Contents.[/url]



Please review the article & posts in this topic, and let me know if you have additional questions or concerns.



Cheers!



Brandt

khad

[i]Please see the rest of this thread for the complete discussion. You might even recognize this exact post once or twice. The current state of the data format is as follows.[/i]



We are [url="http://blog.agile.ws/2011/04/looking-ahead-in-security/"]hard at work on a new data format with fully encrypted contents[/url], but until that is available, you will always be able to read the [i]unencrypted[/i] in addition to the encrypted information in your data file (just like 1Password does) by manually opening a .1password file in a text editor.



We have had some great discussions about our current data format over time (as you can see above). The current [url="http://help.agilebits.com/1Password3/agile_keychain_design.html"]Agile Keychain Design[/url] is nearly identical to the Mac OS X keychain in terms of what is kept encrypted and what is left open in plain text. The distinction is an important trade-off between security and convenience. The more that is encrypted, the less a would-be thief can access, but it is also necessary to leave enough open to allow applications to freely access certain items without needing to decrypt every single entry each time. The Mac OS X keychain nicely balances security and convenience, so the Agile Keychain follows suit.



That being said, we are still hard at work updating the data format to encrypt every last bit of information. When we introduced Dropbox syncing for iOS and 1Password for Windows, it was so awesome that everyone wanted to use it. It was then that we renewed discussing what we can do to give your data even more privacy protection than what the Mac OS X keychain affords.



[url="http://www.schneier.com/crypto-gram-0005.html"]Security is a process, not a product.[/url] We are proud of where we are today regarding the security of storing 1Password data in the cloud, but we wouldn't be true to our name or acting in your best interests if we simply rested on our laurels. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_wink.png' class='bbc_emoticon' alt=';-)' />



We are excited about the future of 1Password, and we think you will be too. If we can be of further assistance, please let us know.



We are always here to help!

Ryan Tate

[quote name='chadseld' timestamp='1308709160' post='29871']

Bernd,



The data in the Fill folder is used to support the Go & Fill feature. -snip- These files normally are removed after use. -snip- if you perform a successful Go & Fill I believe the folder contents will be automatically purged.



You are correct, this is an area we will have to consider with our upcoming file format.

[/quote]



I'm sorry, but this is a breach of product security and a contradiction of your marketing to customers. It is a security hole! An important one!



Here is the promise you make to your users right on the front page of your site: "All your confidential information, including passwords, identities, and credit cards, is kept in one secure place, protected by the only password you will need to remember."



Due to the "Fill folder" this is false. And apparently you're scattering unencrypted data in other files too, per the rest of this thread (including password strength and usernames).



The identity of the websites on which I have a 1Password login [i]is itself confidential information[/i]. Now I don't personally have an embarrassing account on StarWarsFurryFetish.com or SexyLadyAnkles.com or whatever. Nor do I have a darknet login for file swapping, or a premium BitTorrent search engine account that could easily be misconstrued. Nor am I hiding any dating profiles from my significant other. I live a reasonably above board life and encrypt my hard drive anyway.



But if I did, for whatever reason, have an unencrypted hard drive and any of those sorts of accounts, and I used 1Password to organize them, I would have a reasonable expectation that your app is not "leaking" confidential data. After all, you told me it doesn't! You said all the data is in one place, encrypted. Naming files in the (completely unencrypted, easily found) Fill folder after the URLs they correspond completely violates this.



Fix this. Beyond that, start acting like this is a priority! This thread dates to September 2010 for God's sake! Wake up!!



At the very least, [b]stop lying to your customers[/b]. Have some integrity.



[quote name='thightower' timestamp='1310224558' post='31589']

Guys there have been many discussion over the past about not everything is encrypted to speed the load time of 1P etc. a forum search should yield you some topics.

[/quote]



This does not excuse the utterly false marketing for 1Password, which states, "All your confidential information, including passwords, identities, and credit cards, is kept in one secure place, protected by the only password you will need to remember." This is completely incorrect and misleading. As you just said yourself, "not everything is encyrpted." URLs, usernames, password strength and other data are leaked.



Your false boasts are on the front page of agilebits.com. All discussion of this bug, meanwhile, has been forcibly merged into a single thread (this one) in the "Agile Lounge" section of your support forum, away from the product forums, so that no one will ever see it. This is the definition of a "cover up." I am very disappointed in your product and company, which I have recommended to friends, coworkers and family. Crestfallen, actually, would be a better word for it.



This is all just incredibly sad.

MikeT

HI Ryan,



I can see how it can appear to be misleading to you and we'll do our best to make this clear to our customers.



Our definition of [color="#1C2837"][size="2"][b]confidential information[/b] is that such information are private data that is specifically restricted to you, in this case, your username and passwords as well as identities and credit cards. That's what we meant by our quote: [i]"[/i][/size][/color][color="#1C2837"][size="2"][i]All your confidential information, including passwords, identities, and credit cards, is kept in one secure place, protected by the only password you will need to remember".[/i][/size][/color][color="#1C2837"][size="2"] We do not originally consider the URLs, password strength and a few other fields to be confidential because they are not restricted to you or can be used to identify you in any methods.[/size][/color]



[color="#1C2837"][size="2"]However, I can understand that to some users, they'd consider everything to be confidential. We're working on doing that for a future update to 1Password.[/size][/color]



[color="#1C2837"][size="2"]I understand that you feel that it feels like false advertising or misleading and we do apologize for that but I hope you'd understand what we meant intentionally. We'll try to be more specific about what we meant in our writings. Thank you for bringing this up with us. [/size][/color]

[color="#1C2837"] [/color]

[size="2"][color="#1c2837"]If you have more questions or would like to speak to us privately about any concerns you have, please do email us at support@agilebits.com and we'll do our best to explain. [/color][/size]

Penelope Pitstop

Hi Ryan,



Personally I don't give a tinker's cuss whether the meta data is encrypted or not but I can quite understand why you might. I even support you urging Agilebits to hurry up and introduce the feature you want even though I don't.



However your indignant accusation that Agilebits are liars and lack integrity is unfounded in my view - despite MikeT's professional response. On the contrary, they are to be commended for their openness about product design and the professional manner in which they address concerns raised about it. They certainly do not deserve to be slagged off for being the complete opposite no matter how disappointed you are that an assumption you made about the product turned out to be false.



Anyone as concerned as you seem to be about data privacy should be doing more than cursory reading about a security product to verify it meets their needs before trusting it. All the information about meta data not being encrypted and why is openly explained in the FAQs and associated knowledge base articles. It is certainly not hidden. Nor is it buried in one particular forum thread as you suggest – although that is the right place to discuss it of course.



In my experience, Agilebits are nothing but open about the way their product works. They have answered without exception all my questions posed both publicly and privately about the innards of the product. They have given me great support and incorporated features I requested into the product too. They have already publicly announced that they are working on a new keychain format to address this concern of yours, why it is not easy and why it will take some time to release.



Regards,



PP

cyclops009

[quote name='bswins' timestamp='1310239975' post='31616']

cyclops009 & percheron,



Per the PM I sent to you both earlier, I've merged the original topic into the appropriate thread.



As the discussion regards some of your data remaining unencrypted, I thought you would find the following article interesting: [url="http://help.agile.ws/1Password3/agile_keychain_design.html#individual_entry_contents"]Agile Keychain Design > Individual Entry Contents.[/url]



Please review the article & posts in this topic, and let me know if you have additional questions or concerns.



Cheers!



Brandt

[/quote]

Hi Brandt, I got the point. Now is there a post somewhere which says which field in CC or Bankaccount options are encrypted and which are not.I was planning to rearrange my data a bit and it should help. One example will be I have a account where it uses 2 password. So for me i save 2 of them in 2 diff fields. Not sure if those two fields are encrypted. I have multiple similar scenarios.

khad

That is a good question, cyclops009! [url="http://forum.agile.ws/index.php?/topic/1958-all-information-is-not-encrypted/page__view__findpost__p__11748"]As I mentioned much earlier in the thread[/url], the [url="http://help.agilebits.com/1Password3/cloud_storage_security.html"]Cloud Storage Security[/url] section in 1Password's User Guide explains this pretty well:



[indent]The information which 1Password keeps decrypted in your data is very similar to what you may have in a browser bookmarks file. In addition to the location and title are tags, Folder, password strength, creation time, and last modify time. Any of the fields that can be used for sorting or arranging the display of your items in the 1Password app are not encrypted. Everything else is.[/indent]

All username and password data along with Login fields, notes, etc. are always encrypted. Offhand, I can't think of anything besides what is listed in the [b]View > Columns[/b] menu that is unencrypted.



The list in that menu is as follows.



[list]



[*]Icon

[*]Title

[*]Location

[*]Type

[*]Modified Date

[*]Created Date

[*]Folder

[*]Password Strength

[*]Tag

[/list]

I hope that helps, and I don't blame you for missing the previous post on your specific question. This thread is getting pretty long. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



Please let us know if you have any other questions. We are always available to answer them.

Ryan Tate

Lol, you guys quietly changed your false advertising claim. The Agilebits home page USED to falsely and fraudulently claim to secure "All your confidential information." Here's a screenshot http://lockerz.com/s/126804241



Now it only claims to secure "some of your confidential information." True! It's only partial security. Bravo for finally telling the truth in one place on your website. I'm sure the 1Password front page will be updated any day now with that claim. http://agilebits.com/

Ryan Tate

[quote name='MikeT' timestamp='1310370098' post='31733']

We do not originally consider the URLs, password strength and a few other fields to be confidential because they are not restricted to you or can be used to identify you in any methods.

[/quote]





What does this even mean? URLs are not "restricted to you?" What do you mean?? If I surf in an incognito window, I certainly expect knowledge of where I go to be restricted to me.



Would you feel comfortable sharing all URLs YOU visit with the world? Would you be willing to share publicly a list of every site on which you have a login? This is absurd.



And do please delete this post too, might as well make the coverup complete.

MikeT

HI Ryan,



We understand your frustrations and utter disappointment in us. We’re working on fixing this and we’re reworking our products from now on to encrypting all of the user information, including URLs. We have already started the work with our new extension for Safari 5.1, which now keeps all of the user data encrypted (including URLs), the exception is the generated information that is used for 1Password only, such as the type of form (login,account, secure note). From now on, we do plan to use that type of encryption protection to the rest of our products such as the whole 1Password app lineup, extensions for Firefox and Chrome.



We are not trying to cover up anything, we’re trying to address everybody’s concerns but it’ll take us some time to complete this.



As for your posts that were deleted, I’ve sent you a PM about the reasons. It is our policy here that all discussions are done in a civilized manner, we do not allow any posts that explicitly insults members or our staff.

TnIan

I was poking around in the 1Password.agilekeychain file (or "package," more accurately), and was a bit alarmed to find that the title & URL of each entry is stored in plaintext.



Go to ~/Library/Application Support/1Password/, right-click on 1Password.agilekeychain, select "Show Package Contents," expand data/defaults/, and open a few of those files in a text editor.



I'm not tremendously concerned about this on my Mac, but I have a copy of the keychain file on my Android's SD card so I can use the 1Password app on my phone.



This means that if my phone is lost or stolen, anyone who physically has it can open the 1Password.agilekeychain file on the SD card and build a descriptive list of everything I've got stored in 1Password. Obviously, they won't have the passwords themselves., but I'd really rather not hand a phone thief a list of every financial institution I've got an account with.

Ben

In Tnlan,



Welcome to the forums.



I merged your thread with another on the same subject. Hope this addresses your concerns.



Thanks

Ben

GeneY

Hello Tnlan,



Welcome to the forum and thank you for raising such an important question.



I completely agree with you that while all what is considered "secure" customer data is perfectly encrypted in the existing keychain format, there are certain pieces of metadata (data about the data) in the keychain which is stored in a plaintext. Although it is a totally valid approach to handling sensitive data, I assume that it may create certain concerns for some users.



The good news is that all Agile products are switching to the new keychain design. This new design has

every piece of info completely encrypted. There will be no Low/High Security Level, every single piece of data

will be encrypted with High security only. Notice that the key keychain name has a .1pt extension (the old one has .agilekeychain).



In addition, the number of iterations in the secure algorithm (the most critical parameter) is increased ten fold from the industry standard of 1000 to 10K.



Please notice that the last build of 1Password Reader already supports the new keychain format in addition to the existing one.



Best regards,

Gene

Android developer

TnIan

Sorry, should've searched the forum a little more thoroughly before posting. I'll give the thread a good read.

GeneY

Don't be sorry Tnlan,



We are always ready to help you and all Agile customers with anything related to our products and provide any information we have available.



Best regards,

Gene <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

dsjr2006

[quote name='GeneY' timestamp='1313333612' post='39184']

Hello Tnlan,



Welcome to the forum and thank you for raising such an important question.



I completely agree with you that while all what is considered "secure" customer data is perfectly encrypted in the existing keychain format, there are certain pieces of metadata (data about the data) in the keychain which is stored in a plaintext. Although it is a totally valid approach to handling sensitive data, I assume that it may create certain concerns for some users.



The good news is that all Agile products are switching to the new keychain design. This new design has

every piece of info completely encrypted. There will be no Low/High Security Level, every single piece of data

will be encrypted with High security only. Notice that the key keychain name has a .1pt extension (the old one has .agilekeychain).



In addition, the number of iterations in the secure algorithm (the most critical parameter) is increased ten fold from the industry standard of 1000 to 10K.



Please notice that the last build of 1Password Reader already supports the new keychain format in addition to the existing one.



Best regards,

Gene

Android developer

[/quote]



When do you expect the new keychain format to be available for 1Password Mac and iOS?



Thanks

GeneY

You are very welcome ! I am glad that you found the tip useful.

Please stay in touch



Regards,

Gene <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />

Android developer

TnIan

[quote name='dsjr2006' timestamp='1315455295' post='45264']When do you expect the new keychain format to be available for 1Password Mac and iOS?[/quote]



I was wondering this myself. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />

GeneY

Hello Tnlan,



1Password Reader already support the new keychain format (with all data encrypted).

I will ask our customer support team to provide an additional information for you.



Best regards,

Gene

jpgoldberg

Hi folks.



We are all anxious to get the .1p4 data format out to people, but there really is no way I can provide a timeline. It is, indeed, a rare thing when we announce any feature before it is delivered, but we wanted to let everyone know that we have been working on it.



When we roll out (even in Beta) a new data format, we need to make sure that 1Password on all platforms will be able to cope with it appropriately. Some of our work on the JavaScript extension helps us move this forward a great deal. (I won't say how just yet because that reveals something coming fairly soon that isn't out there yet.)



Some of you old-timers may remember the move to our current data format from the one based on the OS X keychain. Although it went well for most users, it was still a source of trouble for many. At that time, we only had 1Password for Mac. We've learned a great deal from that.



So the most I can say is that work toward 1P4 is coming along nicely. A number of technical concerns we've had have been overcome. (Our developers never cease to amaze me. I have learned to stop saying "I think X is an insurmountable problem"; they keep proving me wrong.); so progress has speedy in some areas that I personally was pessimistic about. I love being proved wrong.



OK. Now I am just rambling. Sort answer: It's progressing. It's coming; but I can't say when.



Cheers,



-j