But is it secure?

Hi J (and any other AB moderator),

I am posting because I would like to ask for an update regarding when we customers can use 1P, completely and securely, as it is intended. To do that, we need to be able to use the v4 new Cloud Keychain format. Thank you J for the detailed information.

I am not trying to inflame, but when I refer to using 1P completely and security - I mean just that. A specific example is, when I learned of this design decision (imo, a flaw) in late 2010, I immediately ceased using the location field for anything other than sites I could not care less about someone knowing I visit. I also stopped using the Title as one normally would; for example instead of MyRealBankName, I might title it Bank1 and then remember which one that might be (after all I could have more than 1). I probably do not need to go into the why, but in short - if a person knows the name of all of your banks, places you shop, social sites you use and so on, they do not need to try to crack 1Passwords encrypted password. They know all of the places you use and the locations. It makes social engineering much much easier and also enables someone to see you use a known insecure site to then focus their attention on that one knowing they can compromise it, perhaps get a credit card number which can then be used to cause havoc like the whole Amazon/ Apple fiasco.

In Dec 2010, I hopped into a discussion on GetSatisfaction regarding partial encryption. At the time, there was a dismissive nature about it. But the topic picked up steam from customers and would be customers. In Jan 2011 AB (and I think it was you J) indicated the data format would change and that it was needed particularly since the Cloud aspect changed the vectors. The discussion also moved over to the AB forum of the time.

In an April 2011 blog post (but there were more forum discussions leading up to the post), it was first openly shared the format would be changing to "have even more of your data fully encrypted, with the remainder well obfuscated." as well as the increased number of iterations (which has occurred). Other "under the hat" options were referenced.

Why am I bringing this up? The main reason is - I want to fully use 1Password securely and I think customers deserve that too. Most people do not drill into encryption or even think about attack vector scenarios. They simply trust AgileBits. That trust is partially why I felt compelled to post this today. When looking to see if there were updates regarding Cloud Keychain support, I saw this reply from MikeT to a potential customer "Before purchasing I have a few questions" . There were many questions/ answers but here is one that makes my point.

Question:

3. Can i make a backup of all my data on local PC in simple format, where i can read my passwords ? Is our data secure on your website ? Please let me know detailed answer before I make purchase. Are all my website passwords stored in same plain text on your servers ?

Answer:

None of your private data, especially username/password are stored in clear view anywhere. It's all encrypted with AES encryption among other security features. You can find out more by reading our keychain design document.

Your backups are also encrypted with the same encryption. You can choose to export your data via text format (CSV) or 1Password Interchange File, which is the decrypted output of your 1Password data and can be imported in other tools if they support it.

In addition, your 1Password data is always stored on your computers locally, we do not store or host your data anywhere. You may choose to sync your data with Dropbox, which then would place a copy of the encrypted data file on Dropbox's servers.

I am not trying to pick on MikeT but that is clearly not an accurate answer; there is not even a way that it could be without Cloud Keychain format (which this is not since it is referring to a local computer etc). Sure, MikeT gives him the link to read more about the Agile Keychain - but how many will just trust "None of your private data, especially username/password are stored in clear view anywhere." That is just not true. Some people use title to store things like some number like a credit card number or employee badge number, and then the username and password for pin and second question. Regardless, title, location etc is private data.

So what do I want and why am I bringing all of this up. Again, for the reasons cited above and ultimately want at least an estimate for when we customers can expect Cloud Keychain support on not just iOS, but Windows and OSX? I have seen some moderators/ admins write pretty soon and things like that - that is not what we deserve. Give us real information. If there is a beta available - let me/ us know. I would be willing to risk breakage and report any issues. I have licenses for 1P for iOS, OSX and Windows. I am happy to be a guinea pig.

I personally have been waiting for over 2 years and it has been publicly promised for nearly 2 years. Support for v3 software was stated as well, which means there should be no reason it is not already available for all existing customers. Give us the option to choose the data format or to upgrade the existing.

In the same way we customers deserve to know a timeframe, especially after being promised this in 2011, we also deserve answers that can be trusted (so do potential customers). The response by MikeT is one of many where the easy response is that everything is encrypted when that is just not accurate at this time. I wish it were.

Given the effort to link and reference, cite discussion timelines and overall the issue with Agile Keychain - I hope it is clear that I am not trolling or bashing 1Password for sport. I have much better ways to spend my time.

I love the promise of 1Password, the design and cross platform potential. Unfortunately, that promise is flawed. Two plus years ago I was excited to see that AgileBits respond to concern expressed by customers. But after two years+ we get an iOS app (that was a paid upgrade lets not forget) but no timeline or even goal about when the Cloud Keychain can be used across platforms.

If an answer about when we can expect Cloud Keychain compatible OSX and Windows releases (even in beta form for those that choose), it pains me to say that it appears the promise of the new data format, v3 support and all the coming soon (some of which was well over a year ago) was nothing more than a means of stringing us customers along, and even more disturbing, perhaps using it to milk us for the v4 iOS upgrade. A timeline or goal date, without a cutesy pretty soon, soon, coming soon, not long now - would go a long way. Right now, those responses could mean a year+ still.

Regards,
Ben