This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Alternatives to DropBox
Has Agile been giving thought for providing support for alternative sync methods beyond Wi-Fi (for MAC) and DropBox? With some of the bad press lately regarding DropBox I've been pondering other sync solutions as possible alternatives but am feeling a bit locked in with 1Password. SpiderOak is one that comes to mind as an alternative as they also have an app for the iPhone/iPad and work on PC/Mac/Linux as well...
Their site:
http://www.spideroak.com/
Some API info:
https://spideroak.com/faq/questions/37/how_do_i_use_the_spideroak_web_api/
Code page:
https://spideroak.com/code
Would be nice to have other possibilities...
Their site:
http://www.spideroak.com/
Some API info:
https://spideroak.com/faq/questions/37/how_do_i_use_the_spideroak_web_api/
Code page:
https://spideroak.com/code
Would be nice to have other possibilities...
Flag
0
Comments
-
Hi Chris,
We've been carefully watching the Dropbox situation, and while there are some concerns about some of the recent news, we'd like to assure our users that your data is still very much secure, even when stored on Dropbox. The reason we say this is that your data is encrypted before it's even transferred to Dropbox, as we describe in our guide here:
http://help.agile.ws/1Password3/cloud_storage_security.html
Our resident security guru, Jeff, also posted a blog post on our plans to increase the security of your 1Password data across all our platforms:
http://blog.agile.ws/2011/04/looking-ahead-in-security/
By the way, I just realised how dazed I look in our team photo, I'm the bottom left, I think the constant fun on our company vacation had me worn out <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />
Anyway, back to Dropbox and alternatives, we're certainly not shutting the door on other solutions, and so thank you for posting the links, every sync solution we implement requires support from the service itself and of course requires development and testing within the 1Password applications, so it's by no means a small task, Dropbox syncing took us quite some time to implement properly.
We do have some other plans too, but they're not at a stage where we can share them right now, and there's also an element of our love of being able to surprise our users with some fantastic new features.
I'm, of course, speaking from the perspective of 1Password as a whole, since any sync solution we implement has to be available on all our platforms.
Thanks again for your feedback,Flag 0 -
I'm also concerned about Dropbox security issues recently, and pose a thought that maybe a company-solution is required for syncing so that Agile are not reliant on a 3rd party for their product. If I were Agile, it would be far too risky to trust another company for a feature of my product - I'd want my own, controllable, manageable solution. But that's just me.Flag 0
-
Thanks for sharing your opinion on this, CE.
The thing to remember is that, no matter where it's stored, your 1Password data is protected with 128-bit AES encryption:
[list]
[*][url=http://help.agile.ws/1Password3/security.html][i]How Secure is 1Password?[/i][/url]
[/list]
Please see these documents for a more thorough discussion of the issue:
[list]
[*][url=http://help.agile.ws/1Password3/cloud_storage_security.html][i]Security of storing 1Password data in the Cloud[/i][/url]
[*]Our blog - [url=http://blog.agile.ws/2011/04/dropbox-security-questions/][i]Dropbox Security Questions[/i][/url]
[*]Dropbox's blog - [url=http://blog.dropbox.com/?p=735][i]Privacy, Security, and Your Dropbox[/i][/url]
[/list]Flag 0 -
Thanks David, those links are interesting and I appreciate Agile being good at responding to items and issues in the news, etc. Well done, you have impressed me immensely with your customer focus.
I'm still concerned about Dropbox since their revelation, but it's probably highly unlikely a breach would occur.
I think ultimately, when or if you implement 256-bit AES and encrypt the entire contents of login data, I'll feel ready to use 1Password exclusively. Til then I'm in a password holding pattern.Flag 0 -
[quote name='CurbedEnthusiasm' timestamp='1304163338' post='25950']
Thanks David, those links are interesting and I appreciate Agile being good at responding to items and issues in the news, etc. Well done, you have impressed me immensely with your customer focus.[/quote]
Thanks, CE!
[quote]I'm still concerned about Dropbox since their revelation, but it's probably highly unlikely a breach would occur.[/quote]
Concern is reasonable, but I agree with your assessment.
[quote]I think ultimately, when or if you implement 256-bit AES and encrypt the entire contents of login data, I'll feel ready to use 1Password exclusively. Til then I'm in a password holding pattern.
[/quote]
It's up to you, of course; but my [i]personal[/i] opinion is that 256-bit AES encryption is overkill.
Here's a snippet from our [url="http://help.agile.ws/1Password3/agile_keychain_design.html"]Agile Keychain Design[/url] article:
[indent]
The Agile Keychain uses 128-bit keys instead of 256-bit keys because they are long enough to be very secure and short enough to allow devices like the iPhone and web browsers to quickly decrypt their contents. The extra computation required for 256-bit encryption was simply not justifiable given the astronomical nature of a 128-bit key. According to the [url="http://www.nist.gov/public_affairs/releases/g01-111.cfm#AES"]National Institute of Standards and Technology[/url]:
[indent]
[i]What is the chance that someone could use the “DES Cracker”-like hardware to crack an AES key?
In the late 1990s, specialized “DES Cracker” machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.
Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.[/i]
[/indent][/indent]
I just sleep better knowing how long I'll be past caring if someone cracks my master password, even if he's already been working on it full-time for the entire two and a half years I've been using 1Password. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />Flag 0 -
[quote name='DBrown' timestamp='1304186500' post='25958']
Here's a snippet from our [url="http://help.agile.ws/1Password3/agile_keychain_design.html"]Agile Keychain Design[/url] article:
[indent]
The Agile Keychain uses 128-bit keys instead of 256-bit keys because they are long enough to be very secure and short enough to allow devices like the iPhone and web browsers to quickly decrypt their contents. The extra computation required for 256-bit encryption was simply not justifiable given the astronomical nature of a 128-bit key. According to the [url="http://www.nist.gov/public_affairs/releases/g01-111.cfm#AES"]National Institute of Standards and Technology[/url]:
[/indent]
[/quote]
What testing has Agile done to make a statement like this? I notice no delays decrypting on my iPhone, iPad 1, or iPod Touch 3rd Gen, and from what I've heard there is about a 30-40% hit going from 128 to 256 bit.... 40% more than about nothing is still pretty darn close to nothing. Skimping with 128-bit feels more like someone doesn't want to pay higher licensing fees for some commercial AES library rather than a real performance issue. Show us some numbers to back this up.Flag 0 -
Skimping?
I'll quote again this information from the NIST article:
[indent]
Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.
[/indent]
I don't know what testing was conducted, because it was done before I joined; but I'm comforted by the knowledge that the universe hasn't existed long enough for someone to have cracked a 128-bit AES key, even if he had started at the moment of the Big Bang.Flag 0 -
[quote name='DBrown' timestamp='1304753267' post='26500']
Skimping?
I'll quote again this information from the NIST article:
[indent]
Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.
[/indent]
I don't know what testing was conducted, because it was done before I joined; but I'm comforted by the knowledge that the universe hasn't existed long enough for someone to have cracked a 128-bit AES key, even if he had started at the moment of the Big Bang.
[/quote]
I certainly think 128-bit is perfectly fine too, David. I wouldn't say no to seeing 256-bit in 1Password, but it's not like 128-bit has any known weakness <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />Flag 0 -
Think of 128-bit AES and 256-bit AES as two planets millions of lightyears from Earth. The 256-bit planet is farther away from Earth but in practice both of them are unreachable.Flag 0
-
[quote name='DBrown' timestamp='1304753267' post='26500']
Skimping?
I'll quote again this information from the NIST article:
[indent]
Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.
[/indent]
I don't know what testing was conducted, because it was done before I joined; but I'm comforted by the knowledge that the universe hasn't existed long enough for someone to have cracked a 128-bit AES key, even if he had started at the moment of the Big Bang.
[/quote]
Yes, skimping, 256 is there, and can be put to use. Sorry David, but this just comes off like a marketing brush-off to me. If there is no real difference in how long it takes to perform operations on current platforms with 256 bit then there is no reason NOT to use it. Why would you turn down and NOT use security in a security app if there is no real detraction? And please don't go back to the same old "You don't need it because 128 is like God and even we can't crack GOD!" crud. The attitude Agile has regarding 128 vs. 256 as well as the unencrypted items in the database still irk me (Is there any update on the improved database format?). You would think that a company concerned with customer data security would want do the MOST to protect their customers data.Flag 0 -
We are always working on security and the protection of our customer's data. That is why great things are on the horizon. In the meantime, rest assured your data is VERY safe. We have yet to see someone break 1Password encryption.Flag 0