Understanding Sync via 1Password Account vs. Dropbox

Hello, I'm trying to understand the security implications of synching my vault across multiple devices using a 1Password account vs. Dropbox. I have concerns about both models, but there is some confusing information on the support site about how 1Password account uses my vault data.

For example: "AgileBits is only minimally involved in your use of your data. We cannot decrypt your data or collect your Master Password, Account Key, or encryption keys". However, to authenticate to my.1password.com by browser, I need to provide both my master and key.

Also, what does "minimally involved" really mean?

Via Dropbox, I can turn on 2 factor authentication as well.

Thoughts? Thank you for any help and clarification.


1Password Version: 6.5.2
Extension Version: Not Provided
OS Version: OS Sierra 10.12.2
Sync Type: Not Provided

Comments

  • I think what they mean is simply that they never see the decrypted data. All the encryption takes place on your device and your encryption keys are never transmitted. But yea, the phrase "minimally involved" is a bit vague.

  • Maybe the better question to ask is simply "how does the 1password account synch actually work?" Does my vault live on an AgileBits server (although encrypted)? And, how are my master password and key used to authenticate on the my.1password.com site?

  • Yes, your vault lives on their servers - fully encrypted. And your keys are used to encrypt/decrypt your data locally on your device and only on your device (i.e. in the browser itself, or in the app when you're using that). That's what they mean by Encrypted from End to End.

    Anyway, I am just another user with too much time. :lol: I'm sure an AgileBits employee will answer your questions when they get here. In the mean time https://1password.com/security/ has some good explanations, I think.

  • brentybrenty

    Team Member

    Hello, I'm trying to understand the security implications of synching my vault across multiple devices using a 1Password account vs. Dropbox. I have concerns about both models, but there is some confusing information on the support site about how 1Password account uses my vault data.

    @eke: Awesome! Excellent questions, and I love that you've cared enough to ask them — and to pursue this in the first place!

    For example: "AgileBits is only minimally involved in your use of your data. We cannot decrypt your data or collect your Master Password, Account Key, or encryption keys". However, to authenticate to my.1password.com by browser, I need to provide both my master and key. Also, what does "minimally involved" really mean?

    I'll go into these in more detail below, as it relates to other points made in this discussion.

    Via Dropbox, I can turn on 2 factor authentication as well. Thoughts? Thank you for any help and clarification.

    While 1Password Teams does have some support for Duo multifactor authentication (in beta currently), you're right that for the most part, 1Password.com users don't have a traditional "second factor". This is pretty controversial, and we could have a whole discussion around this, but I think there are a few key points when comparing with Dropbox:

    1. Dropbox two-factor authentication is a great tool to ensure that it takes more than just your static login credentials to access your account...
    2. but with 1Password.com the Account Key strengthens the security of your data, since it is used to actually encrypt your data (along with your Master Password).
    3. In that vein, no one could access your 1Password Account even if they are able to brute force your Master Password (monkey123?) — the Account Key is still not known.
    4. Also, since the Account Key is never transmitted and used only when authorizing a new device, the opportunities to capture it are limited.

    But getting back to the main question:

    Maybe the better question to ask is simply "how does the 1password account synch actually work?" Does my vault live on an AgileBits server (although encrypted)? And, how are my master password and key used to authenticate on the my.1password.com site?

    Regardless of whether you use a local vault (and sync with Dropbox) or 1Password.com, your data is encrypted on your device locally. And since the Account Key (in the case of 1Password.com) is created locally, your Master Password is only known by you, and neither is ever transmitted, no one — including AgileBits — has the means to decrypt the data. You can read more details on how all of this works in our white paper. I think a lot of people roll their eyes when I direct them to that because it seems daunting and overly technical, but given your interest and questions I think you might really enjoy it. In addition to being informative, it's actually a rather entertaining read. And be sure to let us know if you have any other questions! :eh:

    I think what they mean is simply that they never see the decrypted data. All the encryption takes place on your device and your encryption keys are never transmitted. But yea, the phrase "minimally involved" is a bit vague.

    @pervel: I love this, because it's a fair criticism and highlights the difficulty of expressing something like this accurately. :lol:

    Your assessment is correct (as I mentioned above), so since we do store users' encrypted data, we can't really say that we're "not at all involved"; but at the same time, we've designed 1Password.com from the ground up with the goal of knowing and having as little as is necessary for all of this to work. Thus, the phrase "minimally involved". Our goal has always been not to be involved with users' data at all, and in fact we aren't if you use the standalone 1Password app. But after years of requests for simpler sync and easy sharing, the only way to make it happen was to get involved. So in that context our goal is to at least keep it to a minimum. ;)

  • @brenty thank you for the detailed response and link to the whitepaper. I will absolutely read it (all 63 pages!) this weekend. I apologize if this is answered in the paper too, but my last question is around the my.1password.com site. When you say "the Account Key is never transmitted" and "data is encrypted on your device locally", what is done with the Key and master when I use them to access the site? Or, is the my1.password.com site just a thin client to access my local vault file?

    Also, great news about the Duo support. I'm a Duo user and would love to be part of the beta. If that's possible, just let me know how to participate.

    Thanks!

  • @brenty thank you for the detailed response and link to the whitepaper. I will absolutely read it (all 63 pages!) this weekend. I apologize if this is answered in the paper too, but my last question is around the my.1password.com site. When you say "the Account Key is never transmitted" and "data is encrypted on your device locally", what is done with the Key and master when I use them to access the site? Or, is the my1.password.com site just a thin client to access my local vault file?

    Also, great news about the Duo support. I'm a Duo user and would love to be part of the beta. If that's possible, just let me know how to participate.

    Thanks!

  • brentybrenty

    Team Member

    @brenty thank you for the detailed response and link to the whitepaper. I will absolutely read it (all 63 pages!) this weekend. I apologize if this is answered in the paper too, but my last question is around the my.1password.com site.

    @eke: Hey, no worries! Reading the white paper is not a prerequisite for asking questions. That's what we're here for! I just wanted to make sure you knew that was available since it includes a lot of great detail and examples. :)

    When you say "the Account Key is never transmitted" and "data is encrypted on your device locally", what is done with the Key and master when I use them to access the site? Or, is the my1.password.com site just a thin client to access my local vault file?

    1Password.com uses WebCrypto to do all of this in your browser, so that neither the Account Key nor the Master Password ever need to leave your device, and we never have them. So, not quite a local vault, as it's just retrieving the encrypted data from the server on demand and decrypting it locally. If you're using the 1Password apps though, the encrypted data is cached locally so it's available offline.

    Also, great news about the Duo support. I'm a Duo user and would love to be part of the beta. If that's possible, just let me know how to participate. Thanks!

    To enable Duo, you'll need to have a Pro account with 1Password Teams, and then you can login as admin to enable the beta features:

    https://start.1password.com/settings/beta

    So right now this isn't available in other 1Password.com plans, but it's certainly something we'll consider offering other places in the future. Cheers! :)

  • So it sounds like the only real functional difference in encryption between a 1Password.com vault and a Dropbox-synced vault, then, is that the 1Password.com vault needs both key and password to be decrypted, while the Dropbox-synced vault only needs the password?

    If so, is there a reason that extra security feature has never been implemented w/ the standalone version? That, for me, is the only thing attractive about choosing the subscription service over the standalone version at this point (I'm quite satisfied with how Dropbox sync works otherwise), but it seems a bit absurd to have to pay a monthly fee for a one-time generation of an account key that requires no upkeep on AgileBits' part to maintain.

  • brentybrenty

    Team Member

    If so, is there a reason that extra security feature has never been implemented w/ the standalone version? That, for me, is the only thing attractive about choosing the subscription service over the standalone version at this point (I'm quite satisfied with how Dropbox sync works otherwise), but it seems a bit absurd to have to pay a monthly fee for a one-time generation of an account key that requires no upkeep on AgileBits' part to maintain.

    @publicq: I agree. Fortunately there's a lot more to 1Password.com than the Account Key, even though that is rather nice (zero-config sync, web interface, offsite backup, item history, etc.) But this isn't something we can do on our end since we don't control the Dropbox service and decide how things are implemented there (as far as I know, they're not using SRP). If you're not using our servers and getting all of the other benefits of a 1Password.com membership, there's no need to pay us for it.

    In the case of Dropbox sync with a local vault, you could sort of replicate this yourself if you legitimately only care about having another strong key protecting your data: create a crazy random password for your account. And I'd use two-step authenticate there as well for good measure. Cheers! :)

  • I just started free trial for my subscription today and so very new to this. This article really helps. So I started playing with the apps and found that if I log out of my account, then I'll have to buy the app with 1 time fee to edit. And I'm guessing I'll have to buy apps for Mac, Windows, and my mobile devices separately? So actually subscription model isn't a bad deal in terms of pricing. And just to confirm, if I cancel subscription, I can still access my vault in read only mode?

    So I have 2 vaults currently with 1 in my Mac synced with Dropbox and other is the default vault using 1Password.com. Seems like they play well with each other. Now I'm still having some problem trying to decide on the ultimate single vault solution.

    I guess after reading this thread, it comes down to this. If 1Password.com gets hacked and bad guys have the encrypted vault file, then to decrypt it, they will need both the key and password which 1Password.com doesn't store. On the other hand, if Dropbox gets hacked, they can get the encrypted vault file and just have to guess the master password to get it decrypted. So, it seems that 1Password.com encrypted vault file is more secure. So round 1 goes to 1Password.com sync.

    However, Dropbox might have some advantages. I don't mean it to be insulting, but I'm guessing Dropbox is a bigger company with more resources dedicated to prevent hacking attack. I can't be sure, just a guess. Also, 1Password.com will only save the vault file. So attack on the site will be more specific. Get vaults and try to decrypt. Dropbox hacking attack could be general attack. Get access to all files user has stored. This could reduce the chance of hackers specifically looking to decrypt the vault file.

    That being said, password sync is definitely easier with 1Password.com and setting up a new device with it is a breeze. So user experience wise 1Password sync is definitely better.

    Also there's one other issue about Dropbox. The folders are synced in all my local computers and devices. So those are another points of attack. i.e. someone with access to one of my devices can decide to copy the vault.

    So I see there's advantage and disadvantage to both. Dropbox has never let me down, while I'm new to 1Password. With sensitive nature of data saved in these vault files, it's definitely a lot to consider.

  • brentybrenty

    Team Member

    @sharif44k: Some really great points, and questions as well:

    I just started free trial for my subscription today and so very new to this. This article really helps. So I started playing with the apps and found that if I log out of my account, then I'll have to buy the app with 1 time fee to edit. And I'm guessing I'll have to buy apps for Mac, Windows, and my mobile devices separately? So actually subscription model isn't a bad deal in terms of pricing.

    Indeed, traditionally we've sold each app separately, as originally most folks were using one or two platforms. How things have changed! A lot more people have Macs and PCs now (often between home and work) in addition to mobile devices, and having to purchase multiple versions and configure sync isn't something a lot of people want to do.

    And just to confirm, if I cancel subscription, I can still access my vault in read only mode?

    Correct, all of the data in your 1Password.com account is still available for you to access and/or export, you just can't make further changes to it without subscribing.

    So I have 2 vaults currently with 1 in my Mac synced with Dropbox and other is the default vault using 1Password.com. Seems like they play well with each other. Now I'm still having some problem trying to decide on the ultimate single vault solution.

    Yep, 1Password for Mac version 6 natively supports both local vaults (which can be sync'd via Dropbox) and 1Password.com accounts. I use both there myself, but admittedly I'm looking forward to migrating everything to 1Password.com once that's feasible for me. It's just a lot less management, as far as syncing and sharing data.

    I guess after reading this thread, it comes down to this. If 1Password.com gets hacked and bad guys have the encrypted vault file, then to decrypt it, they will need both the key and password which 1Password.com doesn't store. On the other hand, if Dropbox gets hacked, they can get the encrypted vault file and just have to guess the master password to get it decrypted. So, it seems that 1Password.com encrypted vault file is more secure. So round 1 goes to 1Password.com sync.

    That's a fair assessment, but I think I'd just add a few points: First, they'd have to login to your Dropbox account or get your data from your device in the first place before they can make any attempt at guessing your Master Password to decrypt the vault. So that's less concerning, especially when you consider that a long, strong, unique Master Password will be infeasible to guess, especially with PBKFD2 slowing down automated attempts. This applies to all "flavours" of 1Password. To be continued...

    However, Dropbox might have some advantages. I don't mean it to be insulting, but I'm guessing Dropbox is a bigger company with more resources dedicated to prevent hacking attack. I can't be sure, just a guess. Also, 1Password.com will only save the vault file. So attack on the site will be more specific. Get vaults and try to decrypt. Dropbox hacking attack could be general attack. Get access to all files user has stored. This could reduce the chance of hackers specifically looking to decrypt the vault file.

    Dropbox undoubtedly has much greater scale than we do. I can tell you that without even trying to find the numbers. We're not a large company, and Dropbox has been running their cloud service for probably almost a decade. I believe they used to use AWS as we do, but run their own servers "in house" now since they've grown so much.

    However, with 1Password.com we've taken it a step further than the security we use for local vaults (which is itself more than sufficient). After all, not everyone will have 1Password data stored in Dropbox, but 1Password.com is guaranteed to be a target for folks who'd want to get 1Password users' data (obvious, but important to keep this in perspective). So we've designed 1Password.com accounts to also use the Secret Key to encrypt data (along with the Master Password). That way even if someone breaks into our server and gets the data, they not only won't have the keys to decrypt it, but they will not be able to perform a brute force attack against the Master Password.

    That being said, password sync is definitely easier with 1Password.com and setting up a new device with it is a breeze. So user experience wise 1Password sync is definitely better.

    I'm glad you're enjoying that too! Being a long-time Dropbox user myself, I'm more than conformable with that. But my family isn't, and frankly I don't mind not having the extra work too. ;)

    Also there's one other issue about Dropbox. The folders are synced in all my local computers and devices. So those are another points of attack. i.e. someone with access to one of my devices can decide to copy the vault.

    It's important to keep in mind that this applies to any data stored on your device. But with 1Password, it's encrypted; and you're the only one with the "keys" to decrypt it. :sunglasses:

    So I see there's advantage and disadvantage to both. Dropbox has never let me down, while I'm new to 1Password. With sensitive nature of data saved in these vault files, it's definitely a lot to consider.

    Hopefully this additional information helps, and be sure to let us know if you have any other questions. We're here for you. :)

  • The following is my user experience from both systems, standalone 1PW with Dropbox sync and 1Password Account:

    I have been using 1PW standalone for years. Dropbox was setup long time ago, no issues with syncing among multiple devices and platforms (iOS, OSX, Windows). But I have done it so long ago that I do not remember the steps to Dropbox sync setup and I would have to follow some guide to do that setup again.

    I have setup recently my parents on 1Password account - in one afternoon. They love it and use 1Password for their login credentials, also iOS, OSX and Windows. So far, the experience we had is "It just works". And it definitely steered them away from "pasword123" kind of passwords. Thank you AgileBits!

    So, my take: If simplicity is important, 1Password account is the way to go. And more features are included then with standalone version.
    On the other hand, if you do not mind tinkering with computers and software, standalone version might work just fine.

  • brentybrenty

    Team Member
    edited July 2017

    @Fairgame: Thanks for sharing this! I actually have a similar background with 1Password myself so a lot of this is familiar to me, but you raised one point I hadn't considered, which seems obvious now that you mentioned it:

    have been using 1PW standalone for years. Dropbox was setup long time ago, no issues with syncing among multiple devices and platforms (iOS, OSX, Windows). But I have done it so long ago that I do not remember the steps to Dropbox sync setup and I would have to follow some guide to do that setup again.

    That's one area where my experience is not typical. I totally get that 1Password.com simplifies and streamlines setup significantly. But given the testing I've done with 1Password and Dropbox over the years, knowing how to set it up hasn't been a hurdle for me, only the time and effort involved in configuring sync on each device, especially with multiple vaults. But either way, 1Password.com makes it a lot easier, regardless of a person's background. Dropbox is a great multi-purpose sync service that's a good fit for technical folks; but I don't mind saving some time and trouble by using 1Password.com now instead. Cheers! :)

This discussion has been closed.