This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Well you said it best.....

h00ligan
h00ligan Junior Member
edited December 2012 in iOS
"But it does the most good for people who are using weak or re-used passwords to log into Dropbox"





Like the people that work there.





Also, their two factor is irrelevant when they've made all contents public at least once. But I believe more than that.



I get that you have utter faith in your cryptography. Maybe I do to....I don't know because it requires a company that has repeatedly demonstrated horrible security practices for me to sync regularly and easily.





Honestly this is just getting old. Ill check out the next MAS version if the free upgrade holds.



There's nothing you are every going to say that will make security conscious people feel dropbox is secure. And frankly IMO its lessening my opinion of the team.



I don't care if my stuff is locked up in Fort Knox if the staff hands the keys out to everyone. Period. Dropbox failed. And again..and again. Lose your association with them. It will bring nothing but harm.



But hey. Maybe you are all partners in a venture. What the heck do I know. For all I know there's a wide open backdoor in 1p and Dropbox has a magical key.



It's not open source so the trust is based on the person. Repeated mention of Dropbox and good security has lost that trust from me. Sorry. Drop ox couldn't secure a dorm room.

Comments

  • JDW
    JDW Junior Member
    Is the inevitable stomach ulcer you're facing worth all the worry?



    When you compute the statistical likelihood that your encrypted dropbox data would be compromised, considering not only the probability if breaking the encrpytion itself but the liklihood that a hacker will work on cracking YOUR data out of all of the many people who have their encrypted data on Dropbox, it is actually more likely (statistically speaking) that a theif would break into your house and steal your computer hack into it and compromise your data that way.



    If you disagree, then show us the numbers. Show us the mathematics that prove the statistical likelihood of compromising your data via Wi-Fi sync is significantly less than the statistical likelihood that someone will hack into your data in Dropbox.



    And while you work those mathematics, give thought to this. Let's say your encrypted data is on Dropbox. Then let's say that by a amazing chance out of all of the other peoples encrypted data on Dropbox they choose yours to hack, if they spend the next 20 years cracking the master password on that data and if they do finally crack it 20 years from now, what value is it to them at that time? By then, your credit cards would have expired, you may even have different credit card numbers by then, you probably will have moved by then, you most likely would have changed almost all of your passwords multiple times by then, will any pertinent data remain 20 years from now?



    Again, when you work the mathematics, it seems to show that you have a higher chance of winning mega millions in Powerball every single year of your life than is for your data to be compromised on Dropbox. There is nothing 100% sure in this life. You always have to balance risk. And the mathematics show that a good master password combined with sophisticated encryption should protect your data sufficiently even when stored in online services like Dropbox. And based on its recent review, which acknowledge is the lack of Wi-Fi sync in one password 4, MacWorld would seem to agree with the assessment that storing your encrypted keychain on DropBox is secure, regardless of past hacker accesses of DropBox:



    http://www.macworld.com/article/2021484/app-review-1password-for-ios-keeps-your-digital-life-safe.html



    So why do I even take the time to write all this to you? It's because I think your time would be better spent by joining others here who are more constructively criticizing one Passwords 4 (reporting bugs, helping to improve features, asking questions about compatibilty with 1PSW3 for OS X, etc.), rather than incessantly bash 1PSW4 over the lack of Wi-Fi sync. And before you get too upset over what I've written (as some folks often do when they disagree in online forums where there is no face to face communicatin), consider well that I'm writing this not merely for your sake, but also for the many other people who have paralleled your concerns in this forum. If I myself was not convinced by the mathematics, I would probably join you. So if you disagree with what I've written, then work the numbers and show us the mathematical proofs that show your stance in support of WiFi sync vs. DropBox is correct.



    Thanks.
  • khad
    khad Social Choreographer
    edited December 2012
    [color=#333333]Your secrets in your 1Password data are safe wherever they are stored. Although we don’t recommend making your 1Password database publicly available to the world, we have designed it so that your username and password data (along with other secret data stored within it) is protected no matter whose hands they fall into. For this and other reasons we are very confident when we recommend cloud syncing of 1Password data with Dropbox. Our "Security of storing 1Password data in the Cloud" document goes into increasing detail about the security measures in place and issues surrounding them:[/color]



    [url="http://help.agilebits.com/1Password3/cloud_storage_security.html"]http://help.agilebit...e_security.html[/url]



    [color=#333333]Some of the key points from the document:[/color][list]

    [*]Your master password is never transmitted from your computer or device.

    [*]All 1Password decryption and encryption is performed on your computer or device.

    [*]The 1Password data format was designed to withstand sophisticated attacks if it fell into the wrong hands (cf. John the Ripper blog post below).

    [*]Dropbox provides an additional layer of encryption.

    [/list]

    [color=#333333]I won't bore you with all the details of the AES-encrypted, PBKDF2-strengthened Agile Keychain Format which uses a combination of the OpenSSL library, CommonCrypto, or Windows cryptography libraries depending on platform and version for all of its encryption and key generation needs. You can read about that in our Agile Keychain Design document:[/color]



    [url="http://help.agilebits.com/1Password3/agile_keychain_design.html"]http://help.agilebit...ain_design.html[/url]



    [color=#333333]One of the best ways to show just how strongly 1Password protects your data is by pitting it against the pre-eminent password cracking tool John the Ripper. We've did just that not too long ago:[/color]



    [url="http://blog.agilebits.com/2012/07/31/1password-is-ready-for-john-the-ripper/"]http://blog.agilebit...ohn-the-ripper/[/url]



    Of course, perhaps despite all the actual hard data you still feel "in your gut" that you just don't want to sync via Dropbox. That's okay. Some people refuse to fly in planes but commute to work every day in a car even though planes are statistically [i][b]far safer[/b][/i] than cars. We are only human. We don't always behave rationally, and it's okay to have your own opinions and feelings about things.



    We are investigating how to best enable direct syncing with 1Password 4 and have invited a few people to our Beta program to help ensure we find a good solution. We will announce more details when they are available.



    If you require Wi-Fi syncing please stay with 1Password 3 for now.



    Please let me know if there is anything else I can help with.



    Cheers,
  • JDW
    JDW Junior Member
    Khad, since the same Master Password used on one's desktop is now required to be used in 1PSW4 (iOS), you should probably revise the following blog entry to delete number "4" in "points to keep in mind":



    http://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
  • khad
    khad Social Choreographer
    Thanks! I'll see if we can get that updated to clarify the different between 1Password 3 for iOS and 1Password 4 for iOS.