Storing 1PW keychain inside "public" Dropbox folder? [Not Recommended]
Hi,
so far, I have been using 1PW4 locally on my Mac. In order to access my vault while at work or at other places, I'd like to sync my keychain with my Dropbox account. I did a quick test with opening the keychain in a browser and it seems to work just fine.
Now: does it make sense to store the keychain in the public Dropbox folder in order to access the vault from "outside" via a browser? Any security thoughts on that? While I obviously can store my keychain inside my Dropbox (read: not accessible without logging into Dropbox) I do use a very strong password for Dropbox which is - obviously - stored in my keychain, so I don't know and don't want to remember what the Dropbox password is).
For "convenience" reasons - and so that I would not need to type in the complete url:
https://dl.dropboxusercontent.com/u/DROPBOX-USER-ID/1Password.agilekeychain/1Password.html
I would shorten that with a url shortener to something less (e.g. http://tinyurl.com/some-short-string
Even though I know about the level of AES encryption of the 1PW keychain, I'm not sure if it's a good idea to place the keychain in a folder of a public available url (if you know the url of the Dropbox obviously).
So: does it makes sense to put the keychain in the Dropbox public folder? Is this stupid? Any security concerns? Anyone else had the same thought?
Would love to hear feedback. :-)
Thanks!!
Comments
-
I personally would not put my 1Password data in a public Dropbox folder.. Nor would I recommend that anyone else does. You should try to limit access to your 1Password data, as this is a layer of security.
The buzzword for "layers of security is defense in depth. Controlling access to your data is one such layer. But we know that that layer is not impenetrable. Quite the opposite. Computers with their data get stolen, Dropbox security is hardly perfect. Some people will have attackers gain access to their 1Password data. It is after that that your Master Password comes into play.
Also keep in mind that if you are using the Agile Keychain data format (as you most probably are), that not all of the data is encrypted. In particular, the URLs and Titles of your logins are not encrypted within the Agile Keychain format. So even with an extremely strong 1Password Master Password, you may have good reason to not wish for that data to be exposed.
What I do recommend
As you note there is a bit of a chicken and an egg problem with respect to Dropbox and 1Password passwords. When you are on a new machine, you can't use 1Password with your data until you Dropbox synching or access set up, but with your Dropbox password stored in 1Password, you need to use 1Password before you can access your Dropbox data.
What I have recommended is that you chose a strong memorable password for Dropbox. Please take a look at an article on our blog specifically about this: More than just one password: Lessons from an epic hack. That article links to tips on creating a strong, memorable password for the few (sadly, not just one) things that you might need to remember passwords for.
I hope this helps.
0 -
Thanks Jeff, those are some good points. Even though I admit that accessing my vault by using a short url would be very convenient, I agree with your point for adding an extra layer of security and placing the vault inside Dropbox. I just changed my Dropbox password to a more memorable, still secure string and will now access my vault (when I do not have access to my Mac) by authenticating through Dropbox.
Thanks for your feedback!
0 -
Hi @spinmaster,
I'm so glad to hear that @jpgoldberg's post helped you out. I think you've made the right choice by selecting a memorable Dropbox password.
Since this issue is nicely sorted out now, I'll close this thread, but if you have any further questions or concerns, please don't hesitate to open a new thread, or email us directly at support@agilebits.com - we're here for you. :)
0
