I love and use 1Password, but bear in mind that passwords are all it encrypts: the rest of the account details, such as URL, are stored in plaintext for an attacker to harvest. :(
[Disclosure: I work for AgileBits, the makers of 1Password]
It's true that in the Agile Keychain Format item title and URL are not encrypted, but it is a mistake to think that only passwords are encrypted. That's not how it works.
The details of exactly what is and what isn't encrypted in the Agile Keychain Format is documented in the first link in the article. (And has been since the day the Agile Keychain Format was introduced). The rationale for that design choice was spelled out later in
http://help.agilebits.com/1Password3/cloud_storage_security....
among other places.
Attachments are encrypted. Other than some meta data (modify times and the like) the only things that aren't encrypted are the Location (URL) and the Title. Earlier versions of the AgileKeychain format also left password strength unencrypted, but that was changed (and announced) years ago.
And as we've promised, we are moving to a new format that encrypts everything (except some things such as modify time). The 1Password Cloud Keychain format is documented here:
When we first promised this, we weren't sure how we would achieve the three goals of having:
(1) Everything encrypted.
(2) Only decrypting a single item at a time.
(3) Efficient listing and matching of items to websites.
To understand how we've managed to achieve all three you need to take a look at the details of the Cloud Keychain Format.
Currently, the Cloud Keychain Format is only used for syncing data between 1Password 4 on iOS devices. But it will eventually replace the Agile Keychain Format everywhere.
The attached files do appear to be encrypted, but I don't know how well. The names of the files aren't however, and they may be enough to expose or incriminate you.
See this discussion [1] for example where they say this explicitly. Passwords and logins and other sensitive details are encrypted, but item titles (including note titles) and URLs are not.
They have a new keychain design [2] in which most metadata (including item titles) is encrypted. This is currently used for iCloud syncing, and they plan to roll it out for other sync methods and perhaps local storage as well [1]. I am guessing this will happen in the new OS X version.
"Belenko said that he himself had been using 1Password Pro, which may be the most-installed password manager for Apple iOS. But he ceased using it after testing the application's cryptography. "When we recovered my master password in five seconds? That was a moment," he said."
I recommend that people actually read Elcomsoft's outstanding report on the security of password managers on mobile devices.
At Blackhat, Andre demonstrated a Chosen Ciphertext Attack (CCA) against PKCS CBC padding scheme. And 1Password (along with pretty much everyone else who used common recommended libraries) did use that padding.
But there is a whole lot more that would need to be put in place for a CCA to work. In particularly you need to be able to ask the app to repeatedly decrypt bogus ciphertext and see how it responds. You need to be able to interact with the thing that is performing decryptions for you.
CCAs are most applicable when there is some encrypted server, and this does form the basis for the BEAST attacks against SSL servers.
Although the CCA didn't pose an immediate threat to 1Password users, we did change the padding scheme in an update to 1Password within weeks of getting to see the report. (It would have been nice to see it beforehand.)
Changing the padding scheme fixes the particular CCA that was used, but the proper way to prevent all CCAs is to use authenticated encryption. Take a look at
There were two other things that they dinged us for.
(1) Our low-security items are really very low security.
We already knew that, but because of how people used 1Password, it was possible for people to have important data that was only protected with the low security 4 digit PIN. In 1Password 4, we no longer have security levels. Everything is high security. (We have introduced a 4 digit application unlock, but that is different.)
(2) Our failure to use PBKDF2 for the Master Password for the native (SQLite) data on the phone.
This was particularly embarrassing because we were early leaders in the use PBKDF2 in general. The history of how we made this mistake is more tedious than its worth, but in general it was part of our transition from using OpenSSL crypto libraries to CommonCrypo in the iOS SDK. The SDK for iOS 3 didn't include PBDKF2 and we were trying to maintain compatibility with older devices. So when we ripped out OpenSSL, we were left without PBKDF2.
Anyway, this was also fixed within a few weeks of the release of the Elcomsoft report.
I really recommend that people read their original report. We don't come out of it smelling like roses, but I think it shows us to be clearly among the best. Elcomsoft does outstanding work, but they also have a habit of stating their results in ways that can be mistaken as suggesting their results are more dramatic than they really are.
I see a lot of your blog posts but not a single place where I can read what exactly you implement in the application I can buy now. I see you write about your "next generation format" that's going to be good etc. And that you write about Dropbox. I don't want to use Dropbox, I'm interested just to see that you really know what you're doing locally for the start.
It goes without saying that you'd want to keep all the fields of a secret encrypted but it's also important to note that the plaintext fields can offer clues about the nature of the encrypted parts.
Calling a secret "Bank account" (plaintext) and only encrypting the PIN code tells an intruder that what is encrypted is a 4 digit code ranging from 0000-9999. If instead you encrypt the entire record the nature of the contents is entirely unknown.
I have respect for the fine folks at AgileBits but I don't agree with their approach to security and took the more thorough approach I mention above in KEYBOX.
