This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.

Security: Cloud Syncing

kagy
edited June 2011 in Lounge
<div class="IPBDescription">Dropbox security and alternatives</div>I just read an article by Pamela Yip, a correspondent for the Dallas Morning News, titled "Storing personal data in "clouds" requires research." She brings up the inevitable question of how secure it really is to store personal data off-site. More interesting to we in this lounge, however, is that Dropbox was directly mentioned as one site that may be questionable. The article states that a cybersecurity expert has recently filed a complaint with the FTC, asking it to investigate Dropbox, saying in deceived consumers about the security of its services. "Specifically, Dropbox's employees have the ability to access its customers' unencrypted files," this expert claims. Of course Dropbox said the complain is "without merit."



So I'd love to hear your comments, especially since many of use Dropbox to facilitate management between computers, or computer and phone. In fact it is the product recommended to us by Agilebits themselves. My direct question to them is, "is the 1PW keychain encrypted *before* it is downloaded onto an offsite server? I believe it is. In other words, even if there is a small number of Dropbox employees with access to unencrypted data, would it matter in the case of 1PW.



Having said that, I'll have to reconsider my habit of putting my Quicken data onto Dropbox when leaving on trips now. Or, here's a thought - can I put any data into a Knox Vault before storing it in Dropbox???
«13

Comments

  • [Deleted User]
    edited June 2011
    Hello kagy,



    Good questions all. Luckily for both of us...and the AB community...there have been some responses from 1P's security experts.



    Jeff Goldberg addresses the FTC complaint and Dropbox security in the following Blogs: [url="http://blog.agilebits.com/2011/04/dropbox-security-questions/"]Dropbox Security Questions[/url] & [url="http://blog.agilebits.com/2011/05/dropbox-security-revisited-plus-ca-change/"]Dropbox security revistied[/url]



    [quote]My direct question to them is, "is the 1PW keychain encrypted *before* it is downloaded onto an offsite server? I believe it is. [/quote]

    You are correct. All encryption/decryption of 1P's keychain is performed on your computer or device. An encrypted file is synced to the cloud. Please see AgileBits' cloud security article for more details: [url="http://help.agile.ws/1Password3/cloud_storage_security.html"]Security of storing 1Password data in the cloud.[/url]



    Regarding storing non-1Password data files on Dropbox, I have the same concerns as you. I'm not concerned about my 1Password.agilekeychain being decrypted, but I have zero confidence in .pdf or MS Office file encryption.



    The possibility of storing a Knox image in Dropbox was discussed recently. Please see the following thread for more details: [url="http://forum.agile.ws/index.php?/topic/4146-emailing-knox-files/"]Emailing Knox Files?[/url] The topic does finally discuss storing Knox files in Dropbox, but please note that there are some potential hazards to avoid.



    I use an application similar to QuickBooks, and I store my files in a Knox image. When I go on a trip, I backup my data and place the backup in Dropbox. Wherever I go, I can get to the file and access it using the Mac's Disk Utility. Of course, I could also download the Knox application from [url="http://agilebits.com/downloads"]AB's website[/url]. If you don't have your license handy, you can have it e-mailed to you within 5 minutes: [url="http://agilebits.com/home/licenses"]Resend Licenses[/url]



    So, I believe between using 1Password and Knox, you can embrace the cloud with the confidence that your files are secure.



    Thanks for posting. I look forward to hearing others' comments.



    Cheers!



    Brandt
  • imajes
    imajes Junior Member
    edited June 2011
    Hey,



    I've now seen too many issues about dropbox's security (or, lack thereof) and am beginning to worry about storing my 1pw there. i'm already looking to move backups elsewhere, but for my syncing between devices, dropbox is it. Can anyone recommend any other scheme that would work today to replace this? (at this point, i'm happier with iDisk).



    Thanks.



    PS: here's the latest thread on dropbox (in)security: http://pastebin.com/yBKwDY6T
  • I use Wuala but SpiderOak works well. Said goodbye to DB last year. But doubtless the DB fans here will be along in a moment to allay your fears <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
  • Ind3X
    Ind3X Junior Member
    edited June 2011
    Just a few weeks since the last Dropbox 'security question marks' they're at it again....[url="http://pastebin.com/yBKwDY6T"]Do you trust this company?[/url]



    I don't think I do anymore.
  • thightower
    thightower &quot;T-Dog&quot; Agile&#39;s Mascot Community Moderator
    [quote name='Ind3X' timestamp='1308614078' post='29696']

    Just a few weeks since the last Dropbox 'security question marks' they're at it again....[url="http://pastebin.com/yBKwDY6T"]Do you trust this company?[/url]



    I don't think I do anymore.

    [/quote]



    There reply http://blog.dropbox.com/?p=821
  • [quote name='thightower' timestamp='1308614158' post='29697']

    There reply http://blog.dropbox.com/?p=821

    [/quote]





    That's a pretty calm reply from Dropbox considering the exposure. To read about this after the event in the press is hugely disappointing. It's making me question using Dropbox. I've asked this before and I know you've addressed it before too, but do you continue to be fully confident in relying on another company's service for a large aspect of Agile's own product?



    Regards,



    Curbed
  • thightower
    thightower &quot;T-Dog&quot; Agile&#39;s Mascot Community Moderator
    edited June 2011
    [quote name='CurbedEnthusiasm' timestamp='1308621913' post='29706']

    That's a pretty calm reply from Dropbox considering the exposure. To read about this after the event in the press is hugely disappointing. It's making me question using Dropbox. I've asked this before and I know you've addressed it before too, but do you continue to be fully confident in relying on another company's service for a large aspect of Agile's own product?



    Regards,



    Curbed

    [/quote]



    Personally, I am entirely confident in the encryption of my 1Password keychain, and Dropbox is just a mechanism to get that keychain on my iOS devices, and Macs etc.



    The team is always looking for opportunities I suspect even the up coming iCloud may afford some opportunities but if we can tap them or if they will be available for us to use who knows. Roustem said he is open to other sync mechanisms and may / could use them in the future.



    Since iCloud will be FREE and works on Macs and PC's I would love to see that possibility open up.



    Company wise I am just a lowly forum admin, so I defer to the Developers and admins.
  • jpgoldberg
    jpgoldberg Agile Customer Care
    We designed the 1Password format to withstand attack if it falls into the wrong hands. (Something I never grow tired of saying, even if everyone else is tired of me saying it.). This is not to say that you should happily make your 1Password data public, so this is an important issue.



    I don't wish to sound like an apologist for Dropbox, I'm not. But the way that they have handled this latest issue (a genuine security problem) is much better than how they have handled issues in the past. They have learned to be more explicit and direct with the public regarding real and potential weaknesses.



    Security, of course, is not about handling public relations, but the intensive scrutiny that Dropbox received in the winter has made their security much better both in the software and system itself and in how they integrate security thinking into what everything they do.



    The security buzzword I would like to introduce is "defense in depth". 1Password's encryption is one layer, Dropbox's security is another. Each should be designed with presumption that the other may fail. Components within 1Password are designed with the presumption that other components may fail. Of course we don't want any of these to fail, but we live in a world we not everything is perfect. So we design things defensively.



    None of this means that we should ignore cases where an important layer fails, even temporarily. But most usable data syncing system are going to require data in the cloud one way or another. (An alternative of using point-to-point syncing requires onerous network configurations by the user that may weaken their own over all security by having individuals run network visible services).



    It would be silly of us to grow completely dependent on Dropbox. We do research and experiment with alternatives. The result of that on-going research and experimentation still leaves us recommending Dropbox at this point.



    Cheers,



    -j
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi kagy,



    Just a big "ditto" on what Brandt says.



    I didn't notice Yip's article in the Dallas Morning News when it came out. It may already be in my recycling bin. (The real one, not the one on a Windows desktop.), but I'll try to look it up and comment more thoroughly.



    Cheers,



    -j
  • [quote name='jpgoldberg' timestamp='1308637470' post='29720']

    We designed the 1Password format to withstand attack if it falls into the wrong hands. (Something I never grow tired of saying, even if everyone else is tired of me saying it.). This is not to say that you should happily make your 1Password data public, so this is an important issue.



    I don't wish to sound like an apologist for Dropbox, I'm not. But the way that they have handled this latest issue (a genuine security problem) is much better than how they have handled issues in the past. They have learned to be more explicit and direct with the public regarding real and potential weaknesses.



    Security, of course, is not about handling public relations, but the intensive scrutiny that Dropbox received in the winter has made their security much better both in the software and system itself and in how they integrate security thinking into what everything they do.



    The security buzzword I would like to introduce is "defense in depth". 1Password's encryption is one layer, Dropbox's security is another. Each should be designed with presumption that the other may fail. Components within 1Password are designed with the presumption that other components may fail. Of course we don't want any of these to fail, but we live in a world we not everything is perfect. So we design things defensively.



    None of this means that we should ignore cases where an important layer fails, even temporarily. But most usable data syncing system are going to require data in the cloud one way or another. (An alternative of using point-to-point syncing requires onerous network configurations by the user that may weaken their own over all security by having individuals run network visible services).



    It would be silly of us to grow completely dependent on Dropbox. We do research and experiment with alternatives. The result of that on-going research and experimentation still leaves us recommending Dropbox at this point.



    Cheers,



    -j

    [/quote]



    Thanks Jeffery (And Tommy),



    I appreciate the response. I do agree with a lot of what you've written here regarding defense in depth. I'm not one to be panicking over a security breech, as knowing the encryption level of 1Password makes me comfortable that even if the Dropbox layer is exposed, there's still the little issue of breaking the AES-encryption for anyone trying to get access to my 1P data. It's more an issue of not wanting to see you guys rely on something that brings your product down in standing. If Dropbox continues to have these issues, it makes people more wary about using anything connected to it. I'm not entirely happy about Dropbox's response - or why it even happened in the first place. I mean, if they've stated that they're going to put measures in place that will prevent this from happening again, the question needs to be asked that why weren't those measured deployed in the first place! Also, I don't know if I'd call their handling of it any better than the past - since many people learnt about this exposure from news posts rather than from the company directly. And further, no apologies from them, just a "Hmmm, that shouldn't have happened' blog post. To me it comes off as sloppy on Dropbox's part and I'm not liking the direction they are going in. But anyways, I disgress. As Tommy stated above, if iCloud turns out to be something that 1Password could use for syncing, then that would be a huge win in my opinion.



    Kind Regards,



    Curbed
  • pjv
    pjv Junior Member
    [quote name='imajes' timestamp='1308586864' post='29647']

    Hey,



    I've now seen too many issues about dropbox's security (or, lack thereof) and am beginning to worry about storing my 1pw there. i'm already looking to move backups elsewhere, but for my syncing between devices, dropbox is it. Can anyone recommend any other scheme that would work today to replace this? (at this point, i'm happier with iDisk).



    Thanks.



    PS: here's the latest thread on dropbox (in)security: http://pastebin.com/yBKwDY6T

    [/quote]



    +1



    would be awesome if it were possible to support other services for syncing besides dropbox. although i have been a dropbox user for years now, two bad security lapses in a couple months is making me paranoid. for me, the best possible solution would be something that was really flexible, allowing me to use my own server (SSH, webdav, SSL, you name the protocol and i'll config my server to provide the keychain at some URL) to host my keychain. that way if there is a security lapse it's my fault.
  • A slightly biased article here [url="http://www.wuala.com/blog/2011/06/cloud-security.html"]Wuala[/url] and an interesting read here [url="https://spideroak.com/engineering_matters"]SpiderOak[/url]
  • [quote name='Catcher' timestamp='1308644729' post='29727']

    A slightly biased article here [url="http://www.wuala.com/blog/2011/06/cloud-security.html"]Wuala[/url] and an interesting read here [url="https://spideroak.com/engineering_matters"]SpiderOak[/url]

    [/quote]



    I'm actually trialling SpiderOak at the moment, along with SugarSync, however, I've heard bad things about SugarSync's support. SpiderOak claims a zero-knowledge encryption to user data.
  • [quote name='CurbedEnthusiasm' timestamp='1308648784' post='29732']

    I'm actually trialling SpiderOak at the moment, along with SugarSync, however, I've heard bad things about SugarSync's support. SpiderOak claims a zero-knowledge encryption to user data.

    [/quote]



    I *think* SS may have the same drawback as DB - they have said on their forums that in certain situations a trusted band of employees can see the users data. But only with the customers permission. <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />
  • brenty
    edited June 2011
    Hey guys, I just wanted to weigh in here. I am not personally invested in Dropbox myself. I use their service because it suits my needs. When it no longer does, I will use something else. It's as simple as that.



    But I feel like it needs to be said that no company is immune to these threats. No security is perfect. The reasons that Dropbox has suffered these setbacks are manifold, but the two big ones that I can see are that they grew rather quickly and became a big target as a result. I think the important thing is that they are learning from their mistakes and leanring some humility. We all have to do the best we can to anticipate threats and prepare accordingly. Dropbox underestimated the risk and is paying the price, mainly from a PR standpoint. Plenty of people still use their service, myself included. I just don't put data there unencrypted if I could not live with someone else gaining access to it, just as I don't put anything [i]anywhere[/i] on the internet when I could not abide its exposure.



    Ultimately, 1Password does not depend on Dropbox, either for its functionality or its security. Transmitting data over the internet means accepting some risk. I am personally comfortable with this because I know that my sensitive data is encrypted before it even leaves my computer. 1Password was designed to be an online security solution that operates entirely offline. It interacts with web browsers, but data is stored and managed completely locally.



    While we would really like to offer other sync'ing options, this requires resources we do not necessarily have. Supporting Lion, Safari 5.1, and the rest of the Firefoxes that will come due before summer is out means that we have less time to spend researching and perhaps implementing others. iCloud, for example, sounds great; but at this stage little is known about the specifics, as an example. No matter your feelings about Dropbox, I believe that our Dropbox support is pretty awesome; and I think that the reason their recent troubles are so upsetting to some of our customers is because they love Dropbox, too. It feels like a betrayal -- you take it personally. And I can totally relate.



    So, if you are not comfortable using the Dropbox service to make your data readily accessible to your other devices, you absolutely do not need to to take full advantage of 1Password. Dropbox is just there to make it simple to keep your data in sync. It's a quality of life enhancement, not a mission-critical service: The difference between cosmetic surgery and basic medical care. Our personal data is a personal matter, and each of us has to choose for ourselves what is right for us, since we are the only ones who really know what is at stake.



    It is really important that we discuss this, and if you guys have anything else to add, I would love to hear your thoughts.
  • [Deleted User]
    edited June 2011
    [quote name='imajes' timestamp='1308586864' post='29647']

    Hey,



    I've now seen too many issues about dropbox's security (or, lack thereof) and am beginning to worry about storing my 1pw there. i'm already looking to move backups elsewhere, but for my syncing between devices, dropbox is it. Can anyone recommend any other scheme that would work today to replace this? (at this point, i'm happier with iDisk).



    Thanks.



    PS: here's the latest thread on dropbox (in)security: [url="http://pastebin.com/yBKwDY6T"]http://pastebin.com/yBKwDY6T[/url]

    [/quote]



    Hey imajes,



    I merged your topic with a similar thread.



    The security of your 1Password data file ([i]1Password.agilekeychain[/i]) has been a hot topic well before yesterday. For 1P users, the primary concern has been the safety of your passwords. As I noted in my [url="http://forum.agile.ws/index.php?/topic/5160-cloud-security/page__view__findpost__p__29479"]previous post[/url], your 1P data file is encrypted before it is synched to Dropbox, or before syncing to the cloud with any other app. That being said, the latest Dropbox issue makes you no more (in)secure than you were when it was revealed that some Dropbox employees could decrypt your Dropbox folder.



    However, the security of non-encrypted files in Dropbox IS a concern for most of the 1P family, and I share everyone's worry. Personally, I use AgileBits' Knox application for encrypting files prior to cloud syncing, but I understand that at this time, Knox is not the best solution for everyone. So, it is great hearing opinions from other members on which applications they like to use.



    Regardless, if you wish to look for another cloud sync option, iDisk is currently not recommended for use with 1P: [url="http://help.agile.ws/1Password3/idisk_syncing.html"]Using iDisk to Sync 1P Data[/url]



    Please review the following article for potential other sync options: 1P Data File Sync Solutions Note that if you wish to sync 1P with your iOS devices, Dropbox is the only cloud solution.



    Cheers!



    Brandt
  • [Deleted User]
    edited June 2011
    [quote name='Catcher' timestamp='1308587671' post='29650']

    I use Wuala but SpiderOak works well. Said goodbye to DB last year. But doubtless the DB fans here will be along in a moment to allay your fears <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

    [/quote]



    Catcher,



    Thanks for sharing alternatives that have worked for you.



    I sync my 1P data across several iOS and other mobile devices, so I am a DB fan. However, I do not follow them blindly. It took me a while to start using their service, and I've paid very close attention to each issue that has arisen.



    I'm confident that my 1P data is safe, but I'm looking for ways to secure the other files I send to the cloud.



    Brandt
  • ciara
    ciara Junior Member
    edited June 2011
    i personally do not want to use dropbox for syncing my 1pass files.... their have been several security breaches. considering many of us not only keep our banking and credit card passwords -- many also keep those items in the wallet feature. finding out that for 4 hours criminals could have downloaded my password file - containing nearly a 1000 passwords is frustrating.



    please stop using dropbox as a method to sync. its completely unsecure and dropbox has No invested interest in fixing it for 1password.



    (info on the hack)



    http://lifehacker.com/5813861/dropbox-accidentally-unlocked-all-accounts-for-4-hours



    for those of us that would be crippled without access to our password data on our mobile devices - how about another method to sync it??



    mary lou
  • Hi Mary Lou,



    You're right, the attackers could have, had they known your Dropbox e-mail and known about the flaw within the relatively short timeframe that the issue was present, downloaded your 1Password data file.



    But that's all they could do, as Jeff discussed above, your 1Password data file is designed to be secure even if it's effectively stolen. We use 128-bit AES encryption on all your sensitive 1Password data, so unless you use a very weak master password for your 1Password data file, the attackers would have to spend somewhere in the region of 149 trillion years brute-forcing that encryption as we detail here:



    http://help.agilebits.com/1Password3/cloud_storage_security.html



    I think the point made is that while you're relying on Dropbox to sync your data, you're not relying on them to secure your data, the 1Password data file has this built in, and that's why we remain confident in supporting and recommending their service. Does that mean that we won't continue to seek alternatives, of course not, it would be irresponsible of us not to, but as Brent mentioned at the moment the only syncing solution that's flexible enough for us to use between the desktop and mobile apps is Dropbox.



    No one else (at this stage) provides the APIs needed for a reliable mobile sync, it's not just as simple as the service having a mobile app of their own, since iOS applications are sandboxed, they actually have to provide other developers with tools to access the service and retrieve your data.



    As it happens, the Dropbox team worked with us when the made their recent changes to their database format to ensure that 1Password was ready to work with these security changes. From everything I've seen from Dropbox, as an aspiring developer myself, they want to give the best service to their customers and work with developers to provide a great sync solution, again I haven't seen this from other solutions yet.



    If you're using 1Password for Mac, you have the choice not to use Dropbox, you can sync your iOS devices easily with our Wi-Fi sync solution over your local network by following our guides here:



    http://help.agilebits.com/1Password_touch/sync_to_mac_manually.html (iPhone)

    http://help.agilebits.com/1Password_iPad/sync_to_mac_manually.html (iPad)



    To summarise, we won't be dropping support for Dropbox, but we will continue to look into other sync solutions, and if we can find something that meets all our requirements we'll seriously consider this as an option.



    [quote name='ciara' timestamp='1308670288' post='29761']

    i personally do not want to use dropbox for syncing my 1pass files.... their have been several security breaches. considering many of us not only keep our banking and credit card passwords -- many also keep those items in the wallet feature. finding out that for 4 hours criminals could have downloaded my password file - containing nearly a 1000 passwords is frustrating.



    please stop using dropbox as a method to sync. its completely unsecure and dropbox has No invested interest in fixing it for 1password.



    (info on the hack)



    http://lifehacker.com/5813861/dropbox-accidentally-unlocked-all-accounts-for-4-hours



    for those of us that would be crippled without access to our password data on our mobile devices - how about another method to sync it??



    mary lou

    [/quote]
  • jpgoldberg
    jpgoldberg Agile Customer Care
    Hi all,



    Forgive me for not responding to each of you individually. There is a lot of very legitimate and genuine concern about relying on Dropbox and I'll try to address all of them.



    Let me again repeat that [i]your confidential data in 1Password is very well encrypted before it leaves your machine[/i]. (Indeed it is encrypted before it ever gets written to a disk.) A Dropbox security failure does not mean a 1Password breach.



    One thing that I can advice everyone to do is look at the login and event history for your Dropbox account at



    https://www.dropbox.com/events



    [b]Alternatives to Dropbox[/b]



    Regarding specific alternatives to Dropbox, we have certainly looked at cloud storage systems which add their own client side, but we need something that provides genuine syncing to local disks across platforms. We continue to look at these, but at this point I am doubtful of anything that doesn't really ensure that client disks have local copies of the data can meet our needs.



    This also applies to WebDAV. Indeed, prior to going with Dropbox we worked very hard to get syncing working on WebDAV. After months of effort, we had to abandon that approach. We just couldn't get the performance and reliability out of it that was needed.



    iCloud is extremely exciting, but it is early days. Obviously we are very interest in this, but there are questions that still remain to be answered.



    Syncing your 1Password data among all of your devices is a really great feature of 1Password. Most of you depend on it. Naturally we don't want such an important part of what we do to be entirely dependent on a single third party service. So you can rest assured that our exploration of alternatives is serious (and has been going on for quite a while).



    [b]About Dropbox announcement[/b]



    We still don't know what went wrong at Dropbox with the latest problem. Their initial announcement does not explain how what happened happened. This is almost certainly because they don't know. It was important for them to get an announcement out quickly. After that, they need to investigate carefully.



    This latest incident is a significant security failure in a way that what happened months ago wasn't. Yet I am personally less troubled by this than by what happened earlier. What happened earlier suggested worrying things about how they dealt with security, but we've had every indication over the past few months that they have genuinely learned from that.



    Once we know more about how this happened, we will be in a better position judge their commitment to security. But again, I need to stress that the security of what you store in 1Password does not depend on Dropbox; it depends on your master password.



    Cheers,



    -j
  • Thanks guys for the replies. One of the things I love about Agile is the support you all give <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />



    So... bottom line... A serious matter, but "don't panic!"? I'm trying to resist the paranoid OCD urges which are compelling me to change all my passwords regardless, lol...





    Re. the "Events" page in Dropbox... It's a pity that only gives additions & deletions. You can't tell if someone has simply downloaded one or more of your files. The "My Computers" page is a bit lacking too, only giving the current IP of the desktop client. I've suggested to the Dropbox team that they add something similar to Google's recent IP activity log, as it would be very handy in a situation like this if you could actually see the recent IPs, the time/date of their access, and also whether it was via web / client / mobile app. I don't know whether they take suggestions seriously though, but maybe others will suggest it and they'll do it eventually. 2-Step verification (again, like Google, or even PayPal) would be good too for website access.
  • theElvis
    theElvis Junior Member
    Dear Agile,



    [b]it's time to drop dropbox support with 1Password.[/b]

    They repeatedly had big big security flaws and it slowly but surely marking of your product if you keep supporting such a system!



    I know there is a second wall because the 1Password database is encrypted, but nevertheless, it doesn't feel good if my encrypted datafile would be out there in the wild.



    just my 2 cents (yes and i am still using dropbox but not for 1password or other sensitive data)



    @Dropbox fly or die!
  • Hi theElvis,



    If we drop support for Dropbox syncing with 1Password then we'll have no cloud syncing solution at all, and that's not a situation we want our users to be in. As we've mentioned, there are currently no alternatives that meet all of our needs, so Dropbox is the only option for now.



    The reality is that, while there have been a number of Dropbox security problems, the Dropbox team have responded well to these, dealt with them quickly and in the most recent case been open about the issues.



    Your encrypted 1Password data are safe at all times, even if you put them on a public web server, the encryption we're using would take someone, as we've mentioned, 149 trillion years to break even with the world's most powerful 'cracking computer', given that the universe is estimated to be about 15 billion years old, I think that's a pretty reasonable safety net. As Jeff, and myself, have mentioned, the 1Password data format is designed to withstand attack and we detail this in our 'Agile Keychain Design' document:



    http://help.agilebits.com/1Password3/agile_keychain_design.html



    Also, just to be clear, we're by no means dismissing this as a non-issue, any security issue is a problem, but Dropbox have resolved the issue and we still believe this to be a very secure way to sync your 1Password data, at least as it stands right now. That may change in the future, we're not ruling other solutions out, but we do have limited resources, so we can't just roll out a new syncing engine overnight, though it would be awesome if we could <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Thanks for the feedback,



    [quote name='theElvis' timestamp='1308689154' post='29821']

    Dear Agile,



    [b]it's time to drop dropbox support with 1Password.[/b]

    They repeatedly had big big security flaws and it slowly but surely marking of your product if you keep supporting such a system!



    I know there is a second wall because the 1Password database is encrypted, but nevertheless, it doesn't feel good if my encrypted datafile would be out there in the wild.



    just my 2 cents (yes and i am still using dropbox but not for 1password or other sensitive data)



    @Dropbox fly or die!

    [/quote]
  • Why not add the option to use something like [url="https://www.jungledisk.com/"]JungleDisk[/url]. I've been using it for ages to backup to the cloud and it has similar desktop functionality to DropBox. It's pretty easy to use, although it is payware, it is ridiculously cheap.



    My 2c



    Alex.
  • Hi Alex,



    If I remember correctly, JungleDisk ties into Amazon's S3 service. The problem is that that would possibly work for the desktop applications, but the biggest issue is that we'd need to build a whole syncing solution around Amazon S3 for our mobile applications, which would take quite a bit of time and resources.



    Thanks for all the suggestions folks,





    [quote name='alexr' timestamp='1308690743' post='29832']

    Why not add the option to use something like [url="https://www.jungledisk.com/"]JungleDisk[/url]. I've been using it for ages to backup to the cloud and it has similar desktop functionality to DropBox. It's pretty easy to use, although it is payware, it is ridiculously cheap.



    My 2c



    Alex.

    [/quote]
  • Gents,



    1Password recommends Dropbox for remote syncing. While Dropbox claims to have strong security, we've learned recently via the news media that Dropbox does not store all files in AES encryption as claimed, and now we learn hat they've made ALL private files PUBLIC.



    http://www.eweek.com/c/a/Security/Dropbox-Accidentally-Turned-Off-Passwords-on-File-Storage-Service-655206/



    As a customer who followed your advice and placed all of my passwords in your app, and then on Dropbox, I need to know:



    1) What are the risks based on this current Dropbox issue, making all files public? Do I need to change all of the passwords stored in 1Password? If someone has my 1Password files, how long will it take them to extract the data - my passwords - from these files?



    2) What is a SECURE alternative to Dropbox? Clearly Dropbox lied about their level of security, and they have proven that they cannot maintain the weak security that they do offer. Assuming I'm not bankrupted via identity theft due to my trust in 1Password and Dropbox and am forced to sell my Mac, what alternatives to Dropbox are available?



    Thanks,



    Peter Shaw
  • [Deleted User]
    edited June 2011
    Hello Peter and welcome to the Forums!



    I merged your topic with the appropriate thread.



    [quote]1) What are the risks based on this current Dropbox issue, making all files public? Do I need to change all of the passwords stored in 1Password? If someone has my 1Password files, how long will it take them to extract the data - my passwords - from these files?[/quote]

    You do not need to change all of your passwords stored in 1P. Your 1P data file is encrypted [b]before[/b] being synched to Dropbox, and it is highly unlikely that if anyone had access to your data file, that the person could decrypt it. Please review Jeff Goldberg's (jpgoldberg) post for more details.



    [quote]What is a SECURE alternative to Dropbox? Clearly Dropbox lied about their level of security, and they have proven that they cannot maintain the weak security that they do offer. Assuming I'm not bankrupted via identity theft due to my trust in 1Password and Dropbox and am forced to sell my Mac, what alternatives to Dropbox are available?[/quote]

    Depending on your system setup, you there may be alternatives that you can use. However, if you wish to sync desktop and mobile devices, Dropbox is the only cloud-based solution at this time. Jeff also comments on alternatives in the linked post above.



    Please review this thread, and Jeff's comments in particular, and reply with any additional comments or concerns.



    Cheers!



    Brandt
  • [quote name='stu' timestamp='1308690038' post='29829']

    Hi theElvis,



    If we drop support for Dropbox syncing with 1Password then we'll have no cloud syncing solution at all, and that's not a situation we want our users to be in. As we've mentioned, there are currently no alternatives that meet all of our needs, so Dropbox is the only option for now.



    The reality is that, while there have been a number of Dropbox security problems, the Dropbox team have responded well to these, dealt with them quickly and in the most recent case been open about the issues.



    Your encrypted 1Password data are safe at all times, even if you put them on a public web server, the encryption we're using would take someone, as we've mentioned, 149 trillion years to break even with the world's most powerful 'cracking computer', given that the universe is estimated to be about 15 billion years old, I think that's a pretty reasonable safety net. As Jeff, and myself, have mentioned, the 1Password data format is designed to withstand attack and we detail this in our 'Agile Keychain Design' document:



    http://help.agilebits.com/1Password3/agile_keychain_design.html



    Also, just to be clear, we're by no means dismissing this as a non-issue, any security issue is a problem, but Dropbox have resolved the issue and we still believe this to be a very secure way to sync your 1Password data, at least as it stands right now. That may change in the future, we're not ruling other solutions out, but we do have limited resources, so we can't just roll out a new syncing engine overnight, though it would be awesome if we could <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/skype_smile.png' class='bbc_emoticon' alt=':-)' />



    Thanks for the feedback,

    [/quote]



    I think that's very sensible of Agile, Stu. It's good to have a discussion about these things.
  • [quote name='Tezcatlipoca' timestamp='1308685772' post='29803']

    Thanks guys for the replies. One of the things I love about Agile is the support you all give <img src='http://forum.agile.ws/public/style_emoticons/<#EMO_DIR#>/smile.gif' class='bbc_emoticon' alt=':)' />

    [/quote]



    Here here. Well done, Agile for responding so well to customer concerns.
  • khad
    khad Social Choreographer
    Thank you. I have passed this along to the rest of team. We try to be as honest and upfront about these kinds of situations as possible.



    Thank you — all of you — for your passion for security and for 1Password. We definitely take these issues as seriously as you do and are looking at all our options.



    Keep the feedback coming. We really appreciate it.

Leave a Comment

Rich Text Editor. To edit a paragraph's style, hit tab to get to the paragraph menu. From there you will be able to pick one style. Nothing defaults to paragraph. An inline formatting menu will show up when you select text. Hit tab to get into that menu. Some elements, such as rich link embeds, images, loading indicators, and error messages may get inserted into the editor. You may navigate to these using the arrow keys inside of the editor and delete them with the delete or backspace key.