How safe is my data when I sync via Dropbox?

Yogie
Yogie
Community Member

Hi,

I do have security concerns syncing my data via Dropbox. But it seems to be the only working way to sync reliable and cross platform. So my question how safe is my data?

1Password is my companion and I store any secure data in my safe not only passwords also pins and credit card details.

Is there another reliable and more secure way to sync between multiple devices iOS, Mac OS and Android?

Cheers
Yogie

Comments

  • Hi @Yogie,

    1Password does not rely on Dropbox (or any sync provider) to secure your 1Password data. From the moment we designed our data format we ensured that it was able to withstand an attack should your data fall into the wrong hands, either as a result of a Dropbox breach or if someone physically stole your computer. As such, we use AES encryption with PBKDF2 key strengthening to protect your sensitive 1Password data as well as many other mechanisms to stop an attacker from ever accessing your information and we detail this here:

    Security of storing 1Password data in the cloud

    So, as long as you use a secure master password that you don't use elsewhere, your 1Password data is incredibly safe even when stored on a service like Dropbox. If you're not sure about the strength of your master password, please do take a look at our recent blog post on this:

    Toward Better Master Passwords

    We can't think of many better ways to show just how strongly 1Password protects your data than by pitting it against the pre-eminent password cracking tool John the Ripper. We did exactly that:

    1Password is Ready for John the Ripper

    With all that said, we are aware of the demand for people to be able to synchronize their 1Password data using other sync services. At the moment, Dropbox is the only cross-platform sync option that works with all the 1Password apps.

    We've also written a blog post about the implications of the NSA, PRISM, and such:

    On the NSA, PRISM, and what it means for your 1Password data

    Please let us know if you have any other questions. :)

  • khad
    khad
    1Password Alumni

    To add to the great links @JasperP‌ already shared, this may be our most recent post on the topic:

    Your Master Password is your defense from Dropbox breaches, real and imagined

  • Yogie
    Yogie
    Community Member
    edited July 2014

    Thank you for the very help and useful explanation. To be honest I still feel uncomfortable with data in the cloud, especially storing crucial and sensitive personal things at dropbox. There are many huge companies that deny storing data in clouds at all, so why should I trust more? I still like to have a more reliable sync option to sync between multiple devices, which means multiple Mac, multiple iOS devices and Android devices without the need to use dropbox or any other online storage. Up to now only WiFi comes into my mind for that but Android is not having that feature!

  • khad
    khad
    1Password Alumni

    The security of your data in Dropbox does not depend on the security of Dropbox. End-to-end encryption means your data is encrypted before it leaves your computer and not decrypted until it is safely on your own machine at the other end. Your data is strongly encrypted while in transit and while at rest.

    Your data is yours, though, and we at AgileBits always respect that. We've created 1Password to be secure no matter where your data is stored, but it is your choice where to store and sync your data.

    As you mentioned, Wi-Fi Sync is supported on Mac, Windows, and iOS for those who prefer to not use cloud syncing. It is not yet supported on Android. Right now, you would need to manually transfer your data file to your Android device if you wanted to keep it up to date while foregoing cloud syncing via Dropbox. (See the "Local Storage" section in the User Guide.) But I will definitely make sure that the developers know you are anxious to see Wi-Fi Sync on Android!

  • KaterinaDekha
    KaterinaDekha
    Community Member

    Hi @Yogie,

    I'm afraid it's too late to take part in this discussion, but nevertheless, I'll try to help you.

    My name is Katerina, I represent Cloud Labs, digital security company. Recently we have released our new interesting cloud encryption tool named Cloudifile http://cloudifile.com/ . It adds a proven security level to Dropbox without affecting its simplicity and efficiency. So, it can help you in your data security issue.

    Cloudifile – is a smart system that combines extra proven security layer and transparent cloud synchronization solution, and, in spite of that, it is totally free of charge.

    Cloudifile uses best-industry-standard encryption algorithms and secure architecture. Another one Cloudifile benefit is its simplicity. It easily integrates into the file explorer, so you can just pick the data to protect - and selected files will be securely encrypted and automatically sent to cloud.

    So, I suggest you visiting http://cloudifile.com/ and trying our solution. Any feedback from you would be great for us!

    Good luck!

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited November 2014

    Thanks for that pointer @KaterinaDekha‌!

    It would be great if you would test out using 1Password Dropbox sync with a Cloudifile security layer in place. I suspect that this will work reasonably well for those 1Password users who are only synching among Windows PCs. But @Yogie‌ specifically included Mac, iOS, and Android as well. And on mobile we have to interact directly with the Dropbox APIs.

    So I am not confident that something like Cloudifile will be a useful solution for @Yogie‌, but I would love to be wrong in my pessimism.

  • Hi, @KaterinaDekha‌.

    Thank you for your contribution to the discussion and for trying to help out @Yogie‌. Cloudifile sounds like a neat service indeed. Unfortunately, it's not a great solution for 1Password users.

    1. Since Cloudifile is only compatible with Windows, users of 1Password for Mac, iOS, and Android would not be able to read the data that Cloudifile encrypts.
    2. Even if Cloudifile supported all those platforms, our iOS and Android apps communicate directly with Dropbox via their API, so they would not have the Cloudifile middleman and thus could not decrypt the data.
    3. Finally, even if all devices could read the data, 1Password's conflict resolution mechanism would fall apart because it relies on a specific format of conflicts that are produced by Dropbox.

    I appreciate your thoughtfulness in suggesting Cloudifile. At this time, however, it's not something we can recommend to our users who rely on Dropbox sync.

  • KaterinaDekha
    KaterinaDekha
    Community Member

    Hi @jpgoldberg and @RobYoder,

    Thank you for your contribution! Indeed, for now Cloudifile deals only with Windows-based systems. But in our road map we plan to extend supported systems to iOS, Android, and then Mac OS. And as you both mentioned that, hope we are on the right way. As for 1Password, it would be really interesting to try it with Cloudifile.

    Thank you!

  • RichardPayne
    RichardPayne
    Community Member

    Given that one password data is already encrypted then I don't see the benefit.
    I suppose that it would protect the 1PasswordAnywhere html file but then the places where that is most useful likely wouldn't have Cloudifile installed.

    @jpgoldberg‌ have I missed something obvious?

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    You are absolutely correct @RichardPayne.

    Because 1Password provides end-to-end encryption, there really isn't a need to use an encrypted sync and storage service. However, a substantial number of people using 1Password, including @Yogie‌, seem to want that additional encryption layer, it is worth discussing possible approaches. But yes, I should have started by pointing out that this is largely unnecessary.

  • Niklas
    Niklas
    Community Member

    @jpgoldberg‌ In 1P4 and previous versions the app stored URL strings and a few other bits of information in cleartext. I don't know about 1P5 because I have not looked into the file format used yet. That alone was a reason to want an extra layer of protection. Then there is another reason not to fully trust Dropbox: Rice.

  • Correct. The .agilekeychain format leaves some metadata like the item title and domain unencrypted. The data format introduced in 1Password 4 encrypts all that information, but syncing with Dropbox still uses the old format for now. We'd like to change that soon, but I don't have a guaranteed timeframe for that.

This discussion has been closed.