Dropbox 1PasswordAnywhere secure?

nopenotme
nopenotme
Community Member
edited March 2014 in Lounge

New user, I hope you'll forgive what is probably a silly question: does use of 1PasswordAnywhere on my home and office computers (neither are "public") seriously lessen the security of my passwords? Or should I feel reasonably confident that interacting with that DropBox file is not leaving my data exposed? I have the iOS version of 1Password, and would like to be able to read/use my passwords on other machines.

Comments

  • Jasper
    edited March 2014

    Hi @nopenotme,

    Good question! First of all, 1PasswordAnywhere uses the very same data file that 1Password itself uses, so it has the same security in that respect. When using 1PasswordAnywhere, your encrypted data is not stored on disk unencrypted at any point. For all intents and purposes it is exactly as secure as using the main 1Password application. Also, all encryption/decryption of your data is done locally in your browser using JavaScript.

    If you have any more specific questions about this, please let us know! :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited March 2014

    As @JasperP‌ has correctly pointed out, it is all the same data, encrypted all the same way, with all of the same security properties.

    As you probably know, there are a rarely simple answers to security questions. So here is where it gets complicated:

    However, there is one risk unique to 1PasswordAnywhere, which does not apply to other cases. If an attacker is capable of breaking into your Dropbox account and changes the contents of the 1Password.html file, she can modify it so that it records and sends off your Master Password.

    When you use the 1Password application itself, there are numerous checks to ensure that the software you are running hasn't been tampered with. But those checks depend on things checked by your operating system. But when you are loading cryptographic tools into your browser from a website (in this case your page on Dropbox), you have to trust that those tools haven't been tampered with.

    So, if you worry that someone might be able to tamper with your 1Password.html file on Dropbox, you should carry those worries over to 1PasswordAnywhere. If, on the other hand, you are sufficiently confident that nobody has compromised your Dropbox account and tampered with your data there, then you should continue to feel comfortable using 1PasswordAnywhere.

  • nopenotme
    nopenotme
    Community Member

    That helps a great deal. Thanks.

  • khad
    khad
    1Password Alumni

    On behalf of @JasperP and @jpgoldberg‌, you are quite welcome!

    Looking forward to replying to your other posts momentarily. :)

  • ethansisson
    ethansisson
    Community Member

    The possibility of someone tampering with the 1Password.html file is really good to know about. That changes the way I think about one of my practices. You guys think of everything. Thanks for the explanation, @jpgoldberg‌.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    You are very welcome, @ethansisson‌!

    I don't know about "think of everything", but we do pay attention to where attacks may come from and to the cryptographic and security literature.

  • benfdc
    benfdc
    Community Member

    Great thread. Do developments like Goto Fail and Heartbleed raise additional concerns?

  • RichardPayne
    RichardPayne
    Community Member

    Great thread. Do developments like Goto Fail and Heartbleed raise additional concerns?

    Yes.

    From the blog (http://blog.agilebits.com/2014/04/08/imagine-no-ssl-encryption-its-scary-if-you-try/)

    The one place where 1Password depends on the security of SSL/TLS is for 1PasswordAnywhere. If an attacker can control that connection, they could substitute in a malicious copy of the 1password.html file. However, at latest check, Dropbox does not appear to be affected by the Heartbleed bug, so this particular issue with SSL/TLS security is not a worry for those using 1PasswordAnywhere. However, Dropbox is reported to have been vulnerable earlier, so until Dropbox has a new certificate in place, we advise people to avoid using 1PasswordAnywhere.

  • benfdc
    benfdc
    Community Member

    I guess the point here is that there are (or were) two ways to tamper with 1Password.html—on the dropbox.com servers or in transit.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Dropbox was early to update OpenSSL (it was patched before I tested Tuesday morning, and I'm only going on other reports that it had been vulnerable).

    I don't know if they are attempting to get and install new certificates or whether they will be advising people to change passwords.

  • benfdc
    benfdc
    Community Member
    edited April 2014

    Here's what I have not seen in the reporting:

    Do not log on to any sensitive website until you receive assurance either

    • that the site never had the Heartbleed vulnerability – or –
    • that the site has been patched and secured via a new certificate issued using a new keypair.

    Why am I not seeing this warning? Is it because my understanding of the threat is wrong (Schneier says that “the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies”), or is it because the advice is sound but the consequences of giving it are too horrific to comtemplate?

This discussion has been closed.