
You have secrets; we don’t. Why our data format is public - JereCoh
http://blog.agilebits.com/2013/03/06/you-have-secrets-we-dont-why-our-data-format-is-public/
======
sneak
I love and use 1Password, but bear in mind that passwords are all it encrypts:
the rest of the account details, such as URL, are stored in plaintext for an
attacker to harvest. :(

~~~
kingnight
Do you have a reference for this?

I ask because when you drag an attachment to a entry, it states: "The file has
been added as a secure attachment."

Leading me to believe it's encrypted (along with everything else in the
entry...).

~~~
nwh

       ~/Library/Application Support/1Password/1Password.agilekeychain/data/default/
    

Only the password itself is encrypted. Everything else is just sitting there
in JSON.

    
    
       ~/Library/Application Support/1Password/1Password.agilekeychain/a/default/files
    

The attached files do appear to be encrypted, but I don't know how well. The
names of the files aren't however, and they may be enough to expose or
incriminate you.

~~~
kingnight
Thanks for the paths. I've made some entries and checked what gets encrypted
and seems some items in addition to the password are encrypted.

I'm seeing the 'Username' and 'Note' fields for example, for Login items as
encrypted.

I found a summary[1] of why/what gets encrypted under "Individual Entry
Contents".

[1]:
[http://help.agilebits.com/1Password3/agile_keychain_design.h...](http://help.agilebits.com/1Password3/agile_keychain_design.html)

------
gregdetre
I've been using 1Password for a few years now. I'm not qualified to comment on
the security aspects of it - I'm trusting them and Apple to take care of that.

But I can comment on the superb quality of the user-facing aspects - it's a
pleasure to use, has great iPhone and Dropbox support, and I really like the
way they communicate as a company.

~~~
tlrobinson
“I won’t comment on the safety of this nuclear reactor, but it’s truly a
beautiful nuclear reactor”

------
tlrobinson
What's the difference between:

1) entering your 1Password master password in untrusted software

and

2) running untrusted software which could potentially keylog your 1Password
master password?

Agilebits likes to talk about how 1Password protects against keylogging
(<http://help.agilebits.com/1Password3/security.html> and note the author here
<http://mackeyloggerprotection.com/> ) but what's stopping attackers/malware
from keylogging your master password and exfiltrating your 1Password database
and master password?

~~~
jpgoldberg
I'd really like to direct people to our discussion forums where questions like
this our discussed. It's kind of hard to provide user support spread out over
a range of sites.

There are some counter measures in 1Password to try to thwart keyloggers. The
details vary from OS. As far as we know, our defenses work against existing
keyloggers, but we also know that this is an arms race that we can only lose.

If your machine is compromised, then you can no longer trust anything on it.
So while we believe that our current counter measures work against current
threats, we can't state with much confidence that they will continue to do so.
We've been fortunate in that keyloggers tend to be simple and go for the low
hanging fruit.

Cheers,

-j

------
kirubakaran
What password manager would you recommend for Linux? I use KeePassX but I wish
I didn't have to copy-paste passwords onto website login forms.

~~~
martinced
None. Zero. Zilch. Nada.

Will people never learn? Do you realize what happens when your password
manager itself gets compromised?

Using a password manager is trading security for conveniency. This is simply
not acceptable.

I fully expect all the people using insecure security practice and all the
people selling snake oil to downvote this.

The problem, however, is that you can't argue with facts. And the fact is that
trading security for conveniency is a _very_ stupid thing to do.

~~~
smilliken
What would you recommend instead? If you insist people remember all of their
passwords in their head, you'll end up with them using the same password for
everything.

~~~
purephase
I think the most common is you have a single password, but you _hash_ it with
the name of the service you're logging into.

For example, if you're password is "puppy" and you're signing-up for HN, your
password would be:

pHuApCpKy

And, if you wanted to make it stronger, _salt_ it with some special
characters.

p~Hu!Ap@Cp#Ky$

... which is just the shift-characters on a number row in order.

This way, you only have to remember one password, and it is service specific,
and pretty strong. No password manager needed.

Of course, I don't do this. I use a 1Password and KeepassX.

~~~
GhotiFish
I like the idea of hashing off a root word + site. I'd rather have the browser
do it for me though, and I don't think there's anything on the page itself
that I could depend on to hash with. Maybe the domain?

To be honest, firefox has an encrypted database of site-passwords. What's
wrong with that?

~~~
icebraining
I have a system like that, that takes a master and the domain. The advantages
over the Firefox password manager is availability and not having to worry
about backups. Since I know the algorithm, I can recreate any password using
widely available tools.

------
hsshah
In other words, Security through Obscurity does NOT work.

------
dexen
Also worth noting is the (linked) tongue-in-cheek
[http://blog.agilebits.com/2012/04/01/cipher-of-advanced-
encr...](http://blog.agilebits.com/2012/04/01/cipher-of-advanced-encryption-
rotation-and-substitution/)

------
makkes
Closed-source security software isn't worth very much in my eyes since you can
never be sure that it does what the vendor says it does.

------
jonknee
With the format being open I really wish a Linux client would happen already.

