Heartbleed and Dropbox
Comments
-
What is said publicly is that you should wait to change a password until you can determine that the password-protected site has been secured. A related and somewhat more worrisome question is whether 1Password files stored on Dropbox are accessible through Heartbleed or whether the are adequately encrypted. If they aren't, it might be smart to use a different cloud or sync method for now.
0 -
Hi @PWChinook,
I'm glad to hear that you're thinking about your security here! As @raleedy says, changing a password before the site has confirmed that it is updated is not going to help. Please take a readthrough of our security expert's blog post here: Imagine no SSL encryption, it’s scary if you try, there's some good information in there.
And @raleedy,
Again, thinking seriously about your security, particularly in light of a bug like this is a good thing. I just want to follow-up a bit here to answer your 'worrisome question'.
We are very confident about storing 1Password data in the cloud, as your data file is encrypted with an exceedingly secure encryption algorithm called AES. Even if someone were to acquire a copy of your 1Password data file, it would be extremely difficult (approaching impossible in a human lifetime) for them to actually gain access to your passwords without your Master Password. In short, we believe it is just as secure as having the data on your laptop. To learn more about cloud data security, have a read through the following article.
http://help.agilebits.com/1Password3/cloud_storage_security.html
And you can see the thoughts behind our data format's design here.
http://learn.agilebits.com/1Password4/Security/keychain-design.html
Also, you can check out our blog for many more articles that go into the nitty gritty math behind what makes 1Password so secure.
http://blog.agilebits.com/tag/cryptography_/
I hope this helps, but we're here if you have any further questions!
0
