Alternatives to DropBox

Has Agile been giving thought for providing support for alternative sync methods beyond Wi-Fi (for MAC) and DropBox? With some of the bad press lately regarding DropBox I've been pondering other sync solutions as possible alternatives but am feeling a bit locked in with 1Password. SpiderOak is one that comes to mind as an alternative as they also have an app for the iPhone/iPad and work on PC/Mac/Linux as well...

Their site:

http://www.spideroak.com/

Some API info:
https://spideroak.com/faq/questions/37/how_do_i_use_the_spideroak_web_api/

Code page:
https://spideroak.com/code

Would be nice to have other possibilities...

Comments

  • CurbedEnthusiasm
    CurbedEnthusiasm
    Community Member
    I'm also concerned about Dropbox security issues recently, and pose a thought that maybe a company-solution is required for syncing so that Agile are not reliant on a 3rd party for their product. If I were Agile, it would be far too risky to trust another company for a feature of my product - I'd want my own, controllable, manageable solution. But that's just me.
  • DBrown
    DBrown
    1Password Alumni
    Thanks for sharing your opinion on this, CE.

    The thing to remember is that, no matter where it's stored, your 1Password data is protected with 128-bit AES encryption:

    Please see these documents for a more thorough discussion of the issue:
  • CurbedEnthusiasm
    CurbedEnthusiasm
    Community Member
    edited April 2011
    Thanks David, those links are interesting and I appreciate Agile being good at responding to items and issues in the news, etc. Well done, you have impressed me immensely with your customer focus.

    I'm still concerned about Dropbox since their revelation, but it's probably highly unlikely a breach would occur.

    I think ultimately, when or if you implement 256-bit AES and encrypt the entire contents of login data, I'll feel ready to use 1Password exclusively. Til then I'm in a password holding pattern.
  • DBrown
    DBrown
    1Password Alumni
    edited April 2011

    Thanks David, those links are interesting and I appreciate Agile being good at responding to items and issues in the news, etc. Well done, you have impressed me immensely with your customer focus.

    Thanks, CE!

    I'm still concerned about Dropbox since their revelation, but it's probably highly unlikely a breach would occur.

    Concern is reasonable, but I agree with your assessment.

    I think ultimately, when or if you implement 256-bit AES and encrypt the entire contents of login data, I'll feel ready to use 1Password exclusively. Til then I'm in a password holding pattern.

    It's up to you, of course; but my personal opinion is that 256-bit AES encryption is overkill.

    Here's a snippet from our Agile Keychain Design article:

    The Agile Keychain uses 128-bit keys instead of 256-bit keys because they are long enough to be very secure and short enough to allow devices like the iPhone and web browsers to quickly decrypt their contents. The extra computation required for 256-bit encryption was simply not justifiable given the astronomical nature of a 128-bit key. According to the National Institute of Standards and Technology:

    What is the chance that someone could use the “DES Cracker”-like hardware to crack an AES key?

    In the late 1990s, specialized “DES Cracker” machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message.

    Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.


    I just sleep better knowing how long I'll be past caring if someone cracks my master password, even if he's already been working on it full-time for the entire two and a half years I've been using 1Password. :)
  • Chris Epler
    edited May 2011
    DBrown wrote:

    Here's a snippet from our Agile Keychain Design article:

    The Agile Keychain uses 128-bit keys instead of 256-bit keys because they are long enough to be very secure and short enough to allow devices like the iPhone and web browsers to quickly decrypt their contents. The extra computation required for 256-bit encryption was simply not justifiable given the astronomical nature of a 128-bit key. According to the National Institute of Standards and Technology:



    What testing has Agile done to make a statement like this? I notice no delays decrypting on my iPhone, iPad 1, or iPod Touch 3rd Gen, and from what I've heard there is about a 30-40% hit going from 128 to 256 bit.... 40% more than about nothing is still pretty darn close to nothing. Skimping with 128-bit feels more like someone doesn't want to pay higher licensing fees for some commercial AES library rather than a real performance issue. Show us some numbers to back this up.
  • DBrown
    DBrown
    1Password Alumni
    edited May 2011
    Skimping?

    I'll quote again this information from the NIST article:

    Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.

    I don't know what testing was conducted, because it was done before I joined; but I'm comforted by the knowledge that the universe hasn't existed long enough for someone to have cracked a 128-bit AES key, even if he had started at the moment of the Big Bang.
  • CurbedEnthusiasm
    CurbedEnthusiasm
    Community Member
    DBrown wrote:

    Skimping?

    I'll quote again this information from the NIST article:

    Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.

    I don't know what testing was conducted, because it was done before I joined; but I'm comforted by the knowledge that the universe hasn't existed long enough for someone to have cracked a 128-bit AES key, even if he had started at the moment of the Big Bang.


    I certainly think 128-bit is perfectly fine too, David. I wouldn't say no to seeing 256-bit in 1Password, but it's not like 128-bit has any known weakness :)
  • svondutch
    svondutch
    1Password Alumni
    Think of 128-bit AES and 256-bit AES as two planets millions of lightyears from Earth. The 256-bit planet is farther away from Earth but in practice both of them are unreachable.
  • DBrown wrote:

    Skimping?

    I'll quote again this information from the NIST article:

    Assuming that one could build a machine that could recover a DES key in a second (i.e., try 2^55 keys per second), it would take that machine approximately 149 thousand billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be fewer than 15 billion years old.

    I don't know what testing was conducted, because it was done before I joined; but I'm comforted by the knowledge that the universe hasn't existed long enough for someone to have cracked a 128-bit AES key, even if he had started at the moment of the Big Bang.


    Yes, skimping, 256 is there, and can be put to use. Sorry David, but this just comes off like a marketing brush-off to me. If there is no real difference in how long it takes to perform operations on current platforms with 256 bit then there is no reason NOT to use it. Why would you turn down and NOT use security in a security app if there is no real detraction? And please don't go back to the same old "You don't need it because 128 is like God and even we can't crack GOD!" crud. The attitude Agile has regarding 128 vs. 256 as well as the unencrypted items in the database still irk me (Is there any update on the improved database format?). You would think that a company concerned with customer data security would want do the MOST to protect their customers data.
  • svondutch
    svondutch
    1Password Alumni
    edited May 2011
    We are always working on security and the protection of our customer's data. That is why great things are on the horizon. In the meantime, rest assured your data is VERY safe. We have yet to see someone break 1Password encryption.
This discussion has been closed.