Why aren't the titles of Secure Notes encrypted?

  • I’m using 1Password version #: 3.8.22
  • On a (Mac/PC/iOS/Android): Mac
  • Syncing with other devices (list them): several Mac desktops, several iPads, several phones (iOS and Android)

I use Dropbox to sync my 1Password keychain. Looking at the keychain's directory of files, I notice that for each Secure Note, the title of the note is present in plain text, i.e. not encrypted. In my case, this includes the names of my banks and other institutions. In other words, it tells a would-be identity thief a lot about me, even though it doesn't give account numbers and passwords. I also imagine that people who don't know better go ahead and include account numbers in these note titles. Shouldn't these note titles be encrypted too?

Comments

  • brentybrenty

    Team Member

    @marclevoy: You are correct! The short version to your question is that in the AgileKeychain design names of items are not encrypted, both for performance considerations and to make searching easier and more secure.

    The long answer is that this is used, for example, to enable you to find the login item you want in the 1Password browser extension without 1Password needing to decrypt your entire vault first. We don't want 1Password to decrypt your sensitive information until it is needed (to fill your password for a login, for instance).

    And you can find the most detailed answers in the AgileKeychain Design documentation in our knowledgebase. The OPVault format supported in newer versions of 1Password encrypts both the title and the contents, and we are rolling this out across all platforms going forward.

    In any case, it may be best not to include any sensitive information in the name of an item (just as Nixon probably wouldn't have wanted to name a spreadsheet document "Enemies List" or "Watergate Conspiracy"), as even using the OPVault format with encrypted titles this information will be viewable by others nearby.

    I hope this helps. Please let me know if you have any other questions! :)

  • Thanks for the detailed response. I'll therefore wait until I upgrade before creating my "Enemies List".

  • brentybrenty

    Team Member

    @marclevoy: That, or call it something less ominous -- hypothetically speaking, that is. ;)

    And just to clarify, we aren't officially recommending migrating to OPVault or using it by default until such time as we have finished rolling it out across all platforms. We don't want anyone running into compatibility issues when syncing their 1Password data. Cheers! :)

This discussion has been closed.