Request cable sync

rowen
rowen
Community Member
I'd really prefer synching via the usual cable.

I tried to set up wifi synch, but it's really flakey; for some reason my iPhone doesn't even show up via Bonjour much of the time. I spent a few hours on this and gave up in disgust.

The only other option is DropBox. That is disappointing. The only cloud I might be willing to trust is SpiderOak. Maybe.

I realize that the vault is encrypted. But I'm not ready to go that route because:
* if somebody does steal the vault they can do it without my knowledge and hammer away at it at their leisure. I have no way of knowing, so I can't take protective action such as changing my passwords. Unlike if somebody steals my iPhone.
* A user will typically have a somewhat "sane" password to unlock the vault, since it needs to be typed fairly often (and on an iOs keypad!). Thus it will be more easily cracked than many of the passwords stored in the vault.

Unfortunately as it stands the iOS version of 1Password was a complete waste of money for me.

Comments

  • khad
    khad
    1Password Alumni
    Unfortunately, Apple does not allow apps to sync via the USB cable. Only iTunes is allowed to do that. We would provide this if if was possible, and if it ever becomes possible in the future, we will certainly explore it.

    Dropbox syncing is actually much more secure than it may seem at first glance. From the moment we designed the Agile Keychain data format we ensured that it was able to withstand an attack should your data fall into the wrong hands, either as a result of a Dropbox breach of if someone physically stole your computer. As such, we use 128-bit AES encryption to protect your sensitive 1Password data as well as many other mechanisms to stop an attacker from ever accessing your information and we detail this here:

    http://help.agilebit...e_security.html

    if somebody does steal the vault they can do it without my knowledge and hammer away at it at their leisure. I have no way of knowing, so I can't take protective action such as changing my passwords. Unlike if somebody steals my iPhone.


    It certainly sounds easy if you put it that way. :)

    Fortunately, your 1Password data file uses PBKDF2 key strengthening to ensure that even an offline attack is essentially useless. PBKDF2 deliberately slows down the process of getting from a password to an actual decryption key. The idea is to make using automated password guessing tools, such as John the Ripper, impractical. PBKDF2 strengthens what would otherwise the be weakest part of a system, your master password. PBKDF2 is called a “Key Strengthening Protocol” for this very reason.

    It works by forcing the process that goes from your master password to the derived key go through a large number of complicated iterations. Each time through the data is transformed using an encryption process called HMAC-SHA1, and the resulting intermediate key is fed back into the whole thing again.

    To begin with the Agile Keychain format used 1000 iterations. We just bumped this up to 10,000 iterations to stay ahead of the curve (to put it mildly). :)

    Without PBKDF2, password guessing program could try hundreds of thousands of passwords per second, with PBKDF2 that number is dramatically reduced because there is no way to test a possible master password without having to perform all of those operations. PBKDF2 may cause a fraction of a second delay for you when you enter your master password, but that fraction of a second quickly adds up when a password cracker is trying millions of passwords.

    According to the National Institute of Standards and Technology:


    What is the chance that someone could use the “DES Cracker”-like hardware to crack an AES key?
    In the late 1990s, specialized “DES Cracker” machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

    Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.


    You can read more about the Agile Keychain Design in the User Guide:

    http://help.agile.ws...ain_design.html

    So, as long as you use a secure master password that you don't use elsewhere, your 1Password data is incredibly safe even when stored on a service like Dropbox. If you're not sure about the strength of your master password, please do take a look at our recent blog post on this:

    http://blog.agilebit...ster-passwords/

    A user will typically have a somewhat "sane" password to unlock the vault, since it needs to be typed fairly often (and on an iOs keypad!). Thus it will be more easily cracked than many of the passwords stored in the vault.


    Again, the security of the system is deceptively simple. However, what is going on under the hood is immensely more complex (and secure) than most folks can even imagine.

    For 1Password to synchronize with Dropbox automatically, it will need access to the following three secrets:
    • Your Dropbox credentials (email address and Dropbox password)
    • Your master password for 1Password on your iOS device.
    • Your master password for your data as stored on Dropbox.

    Although it may appear insecure to store these secrets on your device for automatic syncing, it is actually far more secure than it initially looks. These three secrets are stored in an iOS keychain. This is a brilliant and beautiful security tool built into all iOS devices. When a program, such as 1Password, puts something into an iOS keychain the data are, of course automatically encrypted. But there is much more to it than that.

    For an item in an iOS keychain to be decrypted three things are needed:
    • The device must be unlocked.
    • The request must come from the app that put the item there in the first place. Each app on your device has a digital signature, and it is impossible for something other than the 1Password app itself to get into its keychain.
    • The decryption needs to use the unique hardware key built into each and every Apple iOS device. That means that even if someone were able to copy all the data from your device to a system that they completely control, they would not be able to gain access to your keychain.

    We take the additional precaution of making sure that even those encrypted credentials are never stored in (encrypted) backups in iTunes. This means that even if someone could break the security of the backup, there is no opportunity for anyone to launch an “off line” attack against these data in the iOS keychain.

    With all of these measures built into the iOS keychains, granting the 1Password app access to the information it needs to sync adds no meaningful security risk.

    For further details on the security of the syncing process:

    http://help.agilebit...is_syncing.html

    As for Wi-Fi syncing, it sounds like there is a configuration problem with your network. I'm sure we can resolve it if you would like to do so. Just let me know.

    Cheers,
This discussion has been closed.