Dropbox Security

scotty321
scotty321
Community Member

We are syncing our 1Password vault through Dropbox. Since the Dropbox employees have 100% complete access to all of our files, how can we prevent them from hacking into our 1Password file? And how could we ever possibly know with 100% certainty that they HAVEN'T ALREADY hacked into our 1Password file?? We have all sorts of important financial information & important notes stored within our 1Password file -- it could be potentially devastating to our lives if someone were to gain access to this information. We already have an incredibly lengthy & strong master password which is about 80 random characters long, but passwords don't usually stop hackers. How easy is it to crack open this file?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Hi @scotty321,

    Thanks for taking the time to write in.

    We are syncing our 1Password vault through Dropbox.

    Your use of “we” here suggested that you may be using Dropbox to share 1Password information. Is that accurate? If so you may want to consider migrating to a 1Password membership (1Password Teams for business or 1Password Families for home). One of the main reasons we built 1Password memberships was because of the demand for more secure and reliable sharing solutions that Dropbox and other 3rd party vendors couldn’t provide us with.

    Since the Dropbox employees have 100% complete access to all of our files, how can we prevent them from hacking into our 1Password file?

    Short answer: A strong and unique (not used anywhere else) Master Password.

    Longer answer: You may want to take a look at this document from Dropbox. Their assertion is that while employee access to customer files is a technical possibility it would only happen in rare and specific circumstances that are monitored and controlled:

    File privacy and visibility: who can see your files – Dropbox

    Additionally the security of your 1Password data does not rely on the secrecy of your keychain file. Your data is encrypted with your Master Password. As such your Master Password is required to decrypt that data.

    And how could we ever possibly know with 100% certainty that they HAVEN'T ALREADY hacked into our 1Password file??

    You can’t.

    We have all sorts of important financial information & important notes stored within our 1Password file -- it could be potentially devastating to our lives if someone were to gain access to this information. We already have an incredibly lengthy & strong master password which is about 80 random characters long, but passwords don't usually stop hackers. How easy is it to crack open this file?

    As long as that incredibly long password isn’t being used for anything other than your 1Password Master Password, isn’t stored where someone can get at it, and doesn’t get keylogged by using an infected computer... the chances of compromise are significantly mitigated.

    I hope that helps, but if you have further questions we’ll be happy to answer them. :) If we can be of further assistance, please let us know. Merry Christmas!

    Ben

  • Lars
    Lars
    1Password Alumni

    @scotty321 - to add just a bit to what Ben said here:

    the security of your 1Password data does not rely on the secrecy of your keychain file. Your data is encrypted with your Master Password. As such your Master Password is required to decrypt that data.

    I wanted to make sure I direct your attention to our brief explainer on exactly this topic: How 1Password protects your data when you use a sync service.

  • Lars
    Lars
    1Password Alumni

    @scotty321 - I'm glad the link helped! We essentially design 1Password under the assumption that someone has already gotten access to your data. It happens: people's laptops get stolen or lost and discovered by not-so-honest people, etc. It's no different (more or less) that the situation you envision of a rogue, evil Dropbox employee. (First, for the record, let me state we have never even heard of such a thing, but it is theoretically possible).

    That's why we go to the lengths we do to not rely on the encryption (or honesty) provided by Dropbox, or your own practices of keeping your laptop safe from thieves, etc -- we want your data to survive direct assault. And what provides that is the AES256 encryption (chiefly, though as that link elaborates, there are other tricks up our sleeves as well). The encryption is very, VERY solid. AES256 has been in the wild for over a decade now, and no one's been able to break it (or, if they have, there has been no trace whatsoever). It's what the NSA uses for much of their own encryption. In fact, it's so strong that the weak link in the chain is virtually always the user's Master Password. If someone can guess (or brute-force) your Master Password, they've got the decryption key to your data. That's why we urge people to use a long, strong Master Password and never reveal it to ANYONE. In fact, we've actually got a great guide to helping choose a really strong Master Password; check it out!

    https://support.1password.com/strong-master-password/

    As long as you follow those tips (strong Master Password you don't write down anywhere easily discoverable, or tell to anyone), then you are quite secure indeed, even in the event that someone should acquire your actual 1Password data.

  • Lars
    Lars
    1Password Alumni

    @scotty321 - I'm glad Ben and I were able to help, and I'm especially glad you're feeling more secure about things. It's entirely up to you, of course, but I would urge some caution about making your Master Password too long/random. If you're trying to memorize a truly random string of characters and you forget even one single character, you will have lost access to your data. As terrible as it would be to have your data compromised and an attacker gain access to all of it, at the same time, it's certainly no picnic to be locked out of your own data because you can't remember your Master Password. One of our recommendations is that if you have such a strong Master Password, you perhaps write it down (with no explanation; you will know what it is but no one else will) and put it somewhere like a safety deposit box or other place of safekeeping that only you can access. The same type of place you'd store things like birth certificates or passports, or other valuable documents. Just an idea. We see people here on a relatively regular basis who've lost access to their data because of a situation like this, and it's never a good experience.

  • Lars
    Lars
    1Password Alumni

    @scotty321 - anytime! Enjoy the rest of your holidays, and Happy New Year! :)

  • Lars
    Lars
    1Password Alumni

    :+1: :)

This discussion has been closed.