Security: Storage of Dropbox and Master Passwords

Hi Guys,
I'm a newcomer to 1Password and I'm now set up on my iMac and iPhone. I've created a DropBox account and can sync automatically, without the need to enter anything put the four-digit passcode on my iPhone to start the App. Whilst setting up the sync, I had to enter (what I believe was) the iPhone 1Password Master password for decryption (and I set it to remember) and then the Dropbox password. All went well.

Can you tell me where these two passwords are stored and how are they secured as it seems a risk to store them anywhere on the phone? Thanks.


  • khadkhad Social Choreographer

    Team Member
    Welcome to the forums, Jeff! It is great that you are thinking about these things.

    Please take a look at our Lost iPhone? Safe Passwords! blog post which explains this along with some additional details like iOS protection classes.

    If we can be of further assistance, please let us know. We are always here to help!
  • Thanks Khad, that was just what I needed to read. I had not heard about the 'headlines' that has prompted the article - it just seems a vulnerability to me.

    If I may ask a quick closing question before I leave you in peace... when I am backing up my iPhone in iTunes, should I make it an encrypted backup or does the “Non-migratable” setting make this option unnecessary?
  • khadkhad Social Choreographer

    Team Member
    edited November 2011
    I'll highlight this sentence from the aforelinked blog post:

    The “Non-migratable” setting prevents attacks against device backups, as it ensures that the information is always encrypted with a unique hardware key built into the device.

    It sounds like the iOS Security Details section of the User Guide will provide the answer you seek. :)

    I'll include the most relevant bits here:

    If a backup is not password-protected, the keychain is encrypted using hardware keys stored in the iPhone and not accessible from the outside.

    If a backup is password-protected, the keychain is encrypted using software keys that are generated from the backup password. As a result, you can restore such backups to any device, and keychain information will be restored as well.

    Starting with 1Password 3.5.5 for iOS we do not allow the Dropbox and 1Password credentials in our iOS keychain to be migratable (as mentioned in the blog post). So an attack of the sort described in the User Guide would never reach the data stored in the iOS keychain as it would never leave your device.

    For confidential data other than 1Password you should be very careful about making encrypted device backups. Encrypting actually weakens the overall security of the data stored within the backup. It may have been wiser for Apple to have used the term “transferable backup” instead of “encrypted backup.” If you do make an encrypted backup, use 1Password’s strong password generator to create the password for that backup.
This discussion has been closed.