Security of iCloud and Dropbox syncing

dfz

There have been a lot of examples of online password files being fetched and attacked. This gets me wondering of the security of using iCloud or Dropbox to sync 1Password keychains. If my account on either of those is compromised and my 1Password keychain obtained, how secure is it against attack? I assume that depends on how good my password is, but there is a tradeoff between usability and security. Recommendations are starting to say you need 14-15 alphanumeric+special characters to really be secure these days. That's a real pain to open 1Password on an iPhone.

Would it be better to do a WiFi sync? Though the 1Password keychain is in bad hands if the laptop or iPhone is stolen, I can use file vault and the other Apple mechanisms to protect the keychain. I don't believe Filevault is vulnerable to an automated attack. (Please correct me if I'm wrong).

Another question, do I need the same master password on all devices? If not, how does syncing work to get the updated records from one device to another?

Megan

Hi @dfz,

I am so glad you are thinking strongly about the security of your data - thats what we like to see!

We are very confident about storing 1Password data in the cloud, as your data file is encrypted with an exceedingly secure encryption algorithm called AES. Even if someone were to acquire a copy of your 1Password data file, it would be extremely difficult (approaching impossible in a human lifetime) for them to actually gain access to your passwords without your Master Password. In short, we believe it is just as secure as having the data on your laptop. To learn more about cloud data security, have a read through the following article.

http://help.agilebits.com/1Password3/cloud_storage_security.html

And you can see the thoughts behind our data format's design here.

http://learn.agilebits.com/1Password4/Security/keychain-design.html

Also, you can check out our blog for many more articles that go into the nitty gritty math behind what makes 1Password so secure.

http://blog.agilebits.com/tag/cryptography_/

You're right though, the best protection for your data, across all computers and devices, is going to be a really strong Master Password. This doesn't mean though that you need a long, unrecognizable string of characters, numbers and symbols. We have an article that discusses how to create great passwords using random words (which are both easier to remember and type!) - you can read all about it here: Towards better Master Passwords

To answer your final question, your Master Password will be the same across all computers and devices.

I hope this helps but if I can provide any further clarification, please let me know! :)

dfz

First of all, thanks for the pointers to the articles. I'm much better informed now.

At the end, you say "To answer your final question, your Master Password will be the same across all computers and devices."
But I've read among your articles that the master password can be different on my iPhone and Mac. If that is so, can the keychain still sync among devices? If it can, how does it decrypt the keychain with different master passwords on each device?

A follow up question: Is there any criteria to help decide whether to use Dropbox or iCloud syncing? iCloud seems easier to use, since you don't need the DropBox setup. Are they the same level of security?

till213

You're right though, the best protection for your data, across all computers and devices, is going to be a really strong Master Password.

Could not be stressed enough! Especially after reading this article here on Ars Technica:

http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

(btw which made me eventually use a password manager - that, plus several breaches into forums such as from Adobe and others).

The article basically sais: "If you use any combination of word(s) that can be found on the Internet (using Google, Twitter, Wikipedia articles etc.) for your password, your password is at the risk of being guessed!"

Not with brute force, but really with clever "substitution rules" and "know password lists" (which more and more often are completely auto-generated using dictionary lookups from various Internet sources, as the mentioned Google, Twitter etc. services).

So if you thought that "Am i ever gonna see your face again?" (36 characters) or even "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1" are "secure passwords" - think again!

Bottom line: I'll never going to trust my keychain file into any cloud service, given all that NSA fuss in the recent months! Sure, the current Master Password that I currently have would probably not stand a serious "password guessing using rules"-attack for much longer than a few days (or even hours!), but at least the attacker would need physical access to my devices.

So when are we going to see Wi-Fi sync between Macs? :) (I currently use Folder Sync with a "shared folder on NAS in between", which works, but always "wakes up" my Synology NAS from Deep Sleep when I login into my Mac).

Megan

Hi @dfz,

I would like to apologize for the delay in responding to you here but we have been a bit overwhelmed since the launch of 1Password 4 for Mac. We're all working hard and putting in extra hours to get back to our usual snappy responses and we really appreciate your patience.

At the end, you say "To answer your final question, your Master Password will be the same across all computers and devices." But I've read among your articles that the master password can be different on my iPhone and Mac.

One datafile will have one Master Password. Unfortunately there is a Known Issue that our developers are currently working on where "Changing Master Passwords do not sync to other Macs or your mobile devices. Once you change it on one Mac, you'll need to change it manually on the other Macs and mobile devices." This does not mean that you should continue to use a different password on different devices though. It is a bug that will hopefully soon be squashed.

Is there any criteria to help decide whether to use Dropbox or iCloud syncing? iCloud seems easier to use, since you don't need the DropBox setup. Are they the same level of security?

I've got some more reading for you to do here, because we have many experts on the team who are smarter than I am when it comes to this sort of thing. Mike's post here outlines some of the differences between the two sync systems. For more specific detail about the specific security differences between Dropbox and iCloud, I'm going to ask @jpgoldberg, our security guru, to weigh in with his thoughts. The one benefit to using iCloud is that iCloud sync makes use of our newly re-designed Cloud keychain format, which is designed to be even more secure than the 1Password.agilekeychain. :)

I hope this helps, but keep the questions coming if you have more!

Hi @till213,

Thanks so much for including your thoughts here! You're right, a good strong Master Password really can't be stressed enough. And it's in times like this that I love to reference the wisdom of xkcd for a great example of a dice-ware password.

So when are we going to see Wi-Fi sync between Macs?

Unfortunately, I can't say much about unreleased features, but our developers are certainly aware of how important non-cloud-based sync options are for many users, and we are actively working to improve the flexibility of the options. I'm glad to hear that you have found a workable solution in the meantime. :)