Dropbox problem?

devibimal
devibimal
Community Member

I am not sure I understand how 1passwordanywhere works.

With that said I am trying to open 1passwordanywhere hamlet file by opening Dropbox app installed on either my iPhone or iPad and keep getting the same error.

Also now that I see that this file is accessible I am once again worried about someone getting hold of this hamlet file. Unfortunately I may not be plugging right terms in search to read up on how this works and what security mechanism Dropbox/1password uses.

Hope someone has an answer to this.

Comments

  • Hi @devibimal,

    You can read about using 1PasswordAnywhere here:

    https://support.1password.com/1passwordanywhere/

    It will not work from within the Dropbox app on iOS.

    Thanks!

  • devibimal
    devibimal
    Community Member
    edited April 2015

    Thanks @bwoodruff

    One thing I noted after going through the link and embedded link is

    There is one risk unique to 1PasswordAnywhere, which does not apply to other cases. If an attacker is capable of breaking into your Dropbox account and changes the contents of the 1Password.html file, she can modify it so that it records and sends off your Master Password.

    Where, why and how the master password is compromised is beyond me but I don't feel safe.

    As this file is not on iCloud (is it because iCloud will not allow root read/write access as I read elsewhere on your site) would it be safe to say that syncing with iCloud is MUCH more safer than Dropbox?

  • devibimal
    devibimal
    Community Member
    edited April 2015

    @bwoodruff - another thing after reading your response above

    It will not work from within the Dropbox app on iOS.

    I successfully opened html file on iPad safari. I see a trash folder on the left that has many entries that I deleted as I was working thru various options. The same trash folder does not exist on iPad or iPhone. How do I remove those from my master file?

  • Where, why and how the master password is compromised is beyond me but I don't feel safe.

    The short answer is that the attack vector described only applies if you login to 1PasswordAnywhere after an attacker modifies the file. If you do not login to 1PasswordAnywhere, this attack vector would not apply to you.

    I'll ask @jpgoldberg to provide a more detailed answer.

    As this file is not on iCloud (is it because iCloud will not allow root read/write access as I read elsewhere on your site)

    The file is not sent to iCloud because iCloud does not use the Agile Keychain, which is where 1PasswordAnywhere lives.

    would it be safe to say that syncing with iCloud is MUCH more safer than Dropbox?

    No, I don't believe that would not be safe, or fair, to say, based on this information alone.

    I successfully opened html file on iPad safari. I see a trash folder on the left that has many entries that I deleted as I was working thru various options. The same trash folder does not exist on iPad or iPhone. How do I remove those from my master file?

    Trashed items are not accessible on iOS. They can be accessed on Mac or Windows.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    @bwoodruff is correct that when he says that there is a class of attacks that 1Password protects you from except for when you are actively using 1PasswordAnywhere

    The short answer is that the attack vector described only applies if you login to 1PasswordAnywhere after an attacker modifies the file. If you do not login to 1PasswordAnywhere, this attack vector would not apply to you.

    When you are running 1Password itself either on your computer or on your mobile devise, there are a number of checks that make sure that you are running a bonafide copy of 1Password. It is the 1Password that we produce. It's not only that way 1Password is originally delivered to you that is over a secure channel, but your operating system runs a number of checks to see that the software is who it says it is from and that it hasn't been tampered with.

    When you use 1PasswordAnywhere, you are also getting software delivered to your web browser. It is software that does process your Master Password when you type it in. But in this case the "software" is a program that is "stored" in your 1Password.html file in your Dropbox account. If someone gains write access to your Dropbox account, they could change the contents of the 1Password.html file and add something malicious to it. Another avenue of attack is the TLS connection. If your HTTPS connection is compromised, then again, an attacker could change the contents of the 1Password.html file that is delivered to your computer.

    Note that both of these attacks require something to be compromised. Either gaining write access to your Dropbox account or being able to manipulate the HTTPS session. Neither of those are "easy" to do. But those are attacks that are entirely irrelevant to using the 1Password apps or programs. That is, your 1Password security doesn't depend on TLS or Dropbox except for when you use 1PasswordAnywhere.

    I'm not sure if this helps clarify things or whether it raises more questions than it answers. But I hope that it clarifies things.

  • devibimal
    devibimal
    Community Member

    Thanks for detailed response @jpgoldberg. I guess my questions have been answered and as you guessed there will be more as I think about it. Instead I'll make sure my Dropbox and 1Password passwords are even more secure than they are with 15+ character length. Appreciate you taking time to explain and thanks to @bwoodruff on explaining the iCloud mechanics.

    So for now till I get MAC client I will be stuck with the trash items. I will have to buy a Mac and then the software. :) Oh boy. I guess I'll cave in one of these days and buy windows client. When's the next sale folks?

    Trashed items are not accessible on iOS. They can be accessed on Mac or Windows.

  • On behalf of @jpgoldberg and myself, you are very welcome!

    When's the next sale folks?

    I don't have any info on an upcoming sale at the moment, but when we have one we'll be sure to announce it via the usual channels. :)

This discussion has been closed.