Title of secure notes in plain text!

Hi,

I am shocked. I can see all titles (headlines) of my secure notes in plain text, if I open the 1password files with text editor!

..\1Password.agilekeychain\data\default\0A47D2529F7945559872820FB118B72C.1password

"keyID":"F75A2FF442834636A951E5FACD00F512",
"locationKey":"",
"encrypted":"U2FsdGVkX1/vxtc6fe9tNOBo4jCmsKle4NbI4OOj40oFFXGRL6wWOAuso95jh4Ft\u0000",
"typeName":"securenotes.SecureNote",
"location":"",
"uuid":"0A47D2529F7945559872820FB118B72C",
"updatedAt":1295879068,
"createdAt":1295878309,
"title":"Very secret message",
"contentsHash":"653afce0",
"securityLevel":"SL5"

Is that intentional?!? :o All search engines can find and index this, like Spotlight on Mac...

Comments

  • DBrown
    DBrown
    1Password Alumni
    edited January 2011
    Welcome to the forum, Lebostein!

    The short answer is "performance": 1Password has to be able to display your Logins whenever you ask for them, and decrypting hundreds or even thousands of Login titles would take longer than most people are willing to wait.

    I think of it this way: I don't care who knows that I have a MasterCard, a passport, a driver's license, and an account at the credit union, as long as they don't know the account numbers, usernames, passwords, and PINs, all of which are encrypted until I prove my right to see them by entering the master password.

    A full discussion is available in the Agile Keychain Design document on our web site. Here's a related excerpt:

    As you can see, not all the information is encrypted. Most notably, the name/title of each entry (i.e. dave @ AWS login) and the location/URL are open. Having these open allows 1Password to organize your data and display it without suffering the performance hit of needing to decrypt every single item. All the truly confidential information is stored in the encrypted section of the file.

    As a user, your most effective strategy might be to avoid putting sensitive data in the titles of your Logins and other saved items.

    I hope that helps, Lebostein.
  • Hm, performance is no reason to save the short title in plane text. 1password seems very fast to encrypt large notices.
    It calls "secure note" and a note means title and message like an e-mail means subject and message...
  • sjk
    sjk
    1Password Alumni
    I don't care (much) if Secure Notes have an unencrypted plain text Title, but do care that the Notes content can't be hidden and revealed when desired. Same for certain fields containing sensitive info in other Vaults types. For comparison, SplashID supports per-field masking.
  • thightower
    thightower
    Community Member
    I would second the vote for being able to hide the note details.

    What I have done as a work around and I stress work around is add "long scroll to protect data" as my first line in the note. Then put in whatever amount of spacing is necessary to run the data below the visible screen.
    It is no way ideal but my data is shielded from the occasional on looker.

    I like a neat and tidy work area as I said I would love to hide the note details and then press the option button for a quick reveal, which would also be a quick hide if needed by releasing the option button rather than my method of having to scroll up. Anyway my 2cents.
  • svondutch
    svondutch
    1Password Alumni
    Your Keychain is either locked or unlocked. If you want to protect your data from your co-workers, then lock your Keychain. Our auto-lock feature can be of great help here (it can lock your Keychain automatically when you close the lid of your laptop, for example).
  • DBrown
    DBrown
    1Password Alumni

    Your Keychain is either locked or unlocked. If you want to protect your data from your co-workers, then lock your Keychain. Our auto-lock feature can be of great help here (it can lock your Keychain automatically when you close the lid of your laptop, for example).

    I believe they're requesting an option to obscure the contents of notes and other text, even when the 1Password data is unlocked, as is currently possible with password fields.
  • sjk
    sjk
    1Password Alumni
    DBrown wrote:

    I believe they're requesting an option to obscure the contents of notes and other text, even when the 1Password data is unlocked, as is currently possible with password fields.

    Yup, that's the functionality I'd like and envision it being superior to the aforementioned SplashID, which doesn't support Notes field masking (only other fields).
  • DBrown
    DBrown
    1Password Alumni
    Just to be clear, I wasn't committing to that enhancement, just clarifying the request for Stefan.

    I don't know what may be practical or even possible, in terms of the program.
  • You should call it "note" and not "secure note". Then all problems solved.
  • svondutch
    svondutch
    1Password Alumni
    Lebostein wrote:

    You should call it "note" and not "secure note". Then all problems solved.


    The note itself is secure. The title(s) are stored in plain text. This goes for every 1Password item, including Wallet items, Identities, etc.
  • sjk
    sjk
    1Password Alumni
    DBrown wrote:

    Just to be clear, I wasn't committing to that enhancement, just clarifying the request for Stefan.

    Also to be clear, my intention was just to mention functionality I'd like/prefer without actually calling it a request. :)
This discussion has been closed.