This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Is syncing with Dropbox secure?

fourex
fourex Junior Member
<div class="IPBDescription">Is my data available on the internet?</div>[quote name='thightower' timestamp='1298827392' post='21501']

Haha, if its about one of my 2 fav subject you know I am gonna reply 1P and Dropbox. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

[/quote]





1. I am wondering, just how safe is syncing my 1password keychain using Dropbox? (I will be using a Mac for my main machine). This may have been covered before; but I was unable to specifically find it. I am really hesitant about putting my passwords on the internet, but I absolutely adore the idea of the ability of doing so.



2. With the current version of 1password for Android, can I create new passwords with an Android phone and have it saved to Dropbox for syncing back to my home computer?



Thanks so much for answering my two questions;)

Comments

  • Hi fourex,



    Thanks for the excellent questions, let me try and answer them as best as I can for you.



    [quote name='fourex' timestamp='1299613868' post='22073']

    1. I am wondering, just how safe is syncing my 1password keychain using Dropbox? (I will be using a Mac for my main machine). This may have been covered before; but I was unable to specifically find it. I am really hesitant about putting my passwords on the internet, but I absolutely adore the idea of the ability of doing so.[/quote]



    The short answer is 'incredibly safe', but let me expand on that a bit. A common misconception is that when you store your data on Dropbox it's stored on the public internet for all to access, that's not the case at all. The Dropbox service is secure and your data is only available to you using your Dropbox login credentials, it's also encrypted using 256-bit AES encryption when stored on the Dropbox servers and is transferred to and from the server using SSL, meaning no-one can 'snoop' in on the data as it's being transferred.



    Dropbox does have a feature to allow you to share files publicly, but this can only be done from a single 'Public' folder, and the rest of your data remains securely stored. You can also share folders with other Dropbox users, but this has to be enabled, it's not on by default.



    Our resident security expert and 'Chief Defender Against the Dark Arts', or Jeff for short, wrote a very detailed guide on how secure syncing with Dropbox is and you can find this here:



    http://help.agile.ws/1Password3/cloud_storage_security.html



    If it helps, everyone here at Agile Web Solutions uses Dropbox to sync our 1Password data, we're comfortable with how secure it is and that says a lot considering some of the information we have stored <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    [quote]2. With the current version of 1password for Android, can I create new passwords with an Android phone and have it saved to Dropbox for syncing back to my home computer?[/quote]



    At the moment, no, 1Password for Android is read-only. That is something we're looking into changing, and our Android developer, Gene, has some great ideas for the future. We created 1Password for Android to initially be a '1Password Reader' type of application, the same being true with our recent 1Password for Windows Phone 7 app, because 1PasswordAnywhere won't work with mobile browsers.



    I hope that helps, please don't hesitate to ask any further questions, I know there's a lot of people here in the forums who love talking about Dropbox and 1Password <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    PS. I've split this thread so people can find this response a bit easier, because it's a question a lot of people ask.
  • [quote name='stu' timestamp='1299616581' post='22081']

    The Dropbox service is secure and your data is only available to you using your Dropbox login credentials, it's also encrypted using 256-bit AES encryption when stored on the Dropbox servers and is transferred to and from the server using SSL, meaning no-one can 'snoop' in on the data as it's being transferred.

    [/quote]

    I've assumed it is the case, but would you clarify whether passwords synced by 1Password in DropBox are doubly encrypted: first by way of a 1Password master password and secondly with DropBox credentials?



    Thank you.
  • Hi seeemef,



    Your 1Password data is encrypted at all times using 128-bit AES encryption, regardless of where it's stored. When syncing with Dropbox the connection is secured using SSL, so no-one can snoop in on the encrypted data on its way to Dropbox.



    Once on Dropbox all your data, including the 1Password data file, is encrypted using 256-bit AES encryption. So, yes, your data is doubly protected when stored on Dropbox. In fact, even if your 1Password data was stored on a public server, it would take an attacker somewhere in the region of 149 trillion years to brute force the encryption used, unless they had your master password of course.



    Hope that helps,





    [quote name='seeemef' timestamp='1299678290' post='22129']

    I've assumed it is the case, but would you clarify whether passwords synced by 1Password in DropBox are doubly encrypted: first by way of a 1Password master password and secondly with DropBox credentials?



    Thank you.

    [/quote]
  • fourex
    fourex Junior Member
    edited March 2011
    Thanks for your response here, and I understand it fully. I did have one other question. How secure is an "exported html webpage" of my 1Password logins?



    I did notice that I could not cut nor paste the passwords and user logins from the encrypted page; but it does allow you to jump to the underlying site. What was the thinking behind this? Thanks for your time in responding to this part of my concern.
  • MikeT
    MikeT Agile Samurai
    edited March 2011
    [quote name='fourex' timestamp='1300077297' post='22391']

    Thanks for your response here, and I understand it fully. I did have one other question. How secure is an "exported html webpage" of my 1Password logins?



    I did notice that I could not cut nor paste the passwords and user logins from the encrypted page; but it does allow you to jump to the underlying site. What was the thinking behind this? Thanks for your time in responding to this part of my concern.

    [/quote]Hi fourex,



    The encrypted webpage is secure. Your data is stored in an encrypted form inside the html source code and we use javascript to decrypt the data within the javascript’s virtual machine.



    As for the copy/paste, that might be the limitation of the webkit-based browsers displaying our web page. You may notice that it does let you copy in Firefox but not Chrome/Safari. We’ll look into it but I do not have a timeframe on when we’ll have this resolved.
  • da9848
    da9848 Junior Member
    [quote name='MikeT' timestamp='1300317858' post='22563']

    Hi fourex,



    The encrypted webpage is secure. Your data is stored in an encrypted form inside the html source code and we use javascript to decrypt the data within the javascript’s virtual machine.



    As for the copy/paste, that might be the limitation of the webkit-based browsers displaying our web page. You may notice that it does let you copy in Firefox but not Chrome/Safari. We’ll look into it but I do not have a timeframe on when we’ll have this resolved.

    [/quote]





    Just curious:



    after the Dropbox security flap, how secure is the 1P file if left in the cloud?
  • [Deleted User]
    edited June 2011
    Hi da9848,



    We've had quite a detailed discussion on this very issue in [url="http://forum.agile.ws/index.php?/topic/5199-security-cloud-syncing/"]this thread[/url] but allow me summarise the discussion for you here in case you don't want to spend the time reading the other thread in it's entirety.



    Your 1Password data remains incredibly secure, despite of any Dropbox security breaches as we use 128-bit AES encryption on your 1Password data. This means that without your master password, which isn't stored in the data file, an attacker would need to take somewhere in the region of 149 trillion years to break the encryption used on your 1Password data as we detail here:



    http://help.agilebits.com/1Password3/cloud_storage_security.html



    Hope that helps,





    [quote name='da9848' timestamp='1308749057' post='29952']

    Just curious:



    after the Dropbox security flap, how secure is the 1P file if left in the cloud?

    [/quote]
  • da9848
    da9848 Junior Member
    [quote name='stu' timestamp='1308751442' post='29960']

    Hi da9848,



    We've had quite a detailed discussion on this very issue in [url="http://forum.agile.ws/index.php?/topic/5199-security-cloud-syncing/"]this thread[/url] but allow me summarise the discussion for you here in case you don't want to spend the time reading the other thread in it's entirety.



    Your 1Password data remains incredibly secure, despite of any Dropbox security breaches as we use 128-bit AES encryption on your 1Password data. This means that without your master password, which isn't stored in the data file in the clear, an attacker would need to take somewhere in the region of 149 trillion years to break the encryption used on your 1Password data as we detail here:



    http://help.agilebits.com/1Password3/cloud_storage_security.html



    Hope that helps,

    [/quote]



    Thanks. I didn't see that post till now. Appreciate you reiterating.
  • khad
    khad Social Choreographer
    On behalf of Stu, you are quite welcome! <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    If we can be of further assistance, please let us know.



    We are always here to help!