Can I remove vault from DropBox?
I'm not comfortable with leaving a vault in DropBox even encrypted. I have 3 Apple mobile devices, a Surface Pro 3, a Win7 box, a Win8 box, and finally a Mac. I understand I can sync all the Apple devices directly and then sync with the Windows devices using DropBox. After I sync the windows devices can I then remove the vault from DropBox until I need to sync again because of changes?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
I'm not comfortable with leaving a vault in DropBox
@mikemcm Why not? Your 1Password data is protected by AES-256+PBKDF2+HMAC-SHA-512 encryption. Assuming you have a long and strong master password, your 1Password data should be safe in Dropbox.
I have 3 Apple mobile devices, a Surface Pro 3, a Win7 box, a Win8 box, and finally a Mac
@mikemcm Honestly, Dropbox is the easiest solution here.
After I sync the windows devices can I then remove the vault from DropBox until I need to sync again because of changes?
@mikemcm I wouldn't recommend this route. If you really want to do this without Dropbox, then you can sync your mobile devices via Wi-Fi. But you would still need to a find a way to sync your Windows PCs and your Mac. You use OneDrive or Google Drive for this, but if you do not trust Dropbox then there is no reason to think these others are more trustworthy.
0 -
As you say " it should be safe". I'm sure that everyone who has had a data breech has thought the same. All I want to do is be as safe as I possibly can be. I have no problem using DropBox to sync but I don't want to leave the vault in DropBox after syncing. Will that be a problem? I understand that I will need to sync " on demand" which is not as elegant as designed but, other than the additional steps I will need to take, will it work?
0 -
Hi @mikemcm,
That's why we always encrypt your data file, long before it even hits your local drive, we built 1Password with that concern in mind. Your data is not stored decrypted nor is it sync'ed as such to any syncing services. Dropbox does not see any of your 1Password data as decrypted. If any sync services are breached, the data file remains encrypted with your master password and the criminals would need to figure out what your master password is.
I'd suggest reading our article on this here: https://support.1password.com/how-safe-is-cloud-sync/
We also have a lot of interesting security articles you can skim through: https://support.1password.com/security/
have no problem using DropBox to sync but I don't want to leave the vault in DropBox after syncing.
Dropbox does not remove your data even if you've deleted it. They'll keep all deletions on their servers for up to 30 days and then prune it. This allows users to restore any accidental deletions.
There is no reason to do what you're doing, you're not improving the security by doing this, you're still at risk at any data breaches at Dropbox even if you try to delete files.
Your best option is to avoid using any cloud services and to locally sync your data via Wi-Fi sync for your mobile devices and for computers, use a local sync tool. You'll need to configure 1Password on Mac to use Folder Sync before using the local sync tool to sync that specific folder to your Windows PCs.
0 -
Your best option is to avoid using any cloud services and to locally sync your data via Wi-Fi sync for your mobile devices and for computers, use a local sync tool. You'll need to configure 1Password on Mac to use Folder Sync before using the local sync tool to sync that specific folder to your Windows PCs.
But frankly, using Wi-fi sync with the number of devices you have is a complex and error prone nightmare. Dropbox is a far better solution for your scenario.
0 -
Thanks for your comments. I realize syncing without cloud use would be more complex but it would ultimately be more secure. Not saying that 1password isn't as good or better than any other solution (I happen to think it's near the top) but I have always errored on the side of caution.
0 -
I know what you mean, it seems counter-intuitive to leave the keys to your online world out there on some server you have no control over. However you would need an insecure master password and a Dropbox breach for there to be an issue. If your master password is strong then it would take many thousands of years to decrypt your vault before it's of any use to anyone - which it wouldn't be by then.
I'd be more concerned about the data making its way to Dropbox from one of your devices. But then I would imagine (don't know this for a fact) that Dropbox apply their own encryption of the data whilst it's in transit - so it's doubly encrypted. What I'm trying to say is that the 1Password encryption is more than enough on its own and anything extra that Droxbox apply is an added bonus.
I really wouldn't be worried. You're already way ahead of the game by using the amazing 1Password :-)
0 -
Whether Dropbox box applies encryption is sort of irrelevant. There's been enough screw ups in the past, across various companies, to make the presumption that anything you put online will be exposed. You could, and really should, assume that Dropbox is no more secure than to the Moscow Kingpin's front door and handing him your vault personally.
The key point here is that what you are putting online is not your password database. It is nothing more than a set of encrypted data blocks. As has been pointed out, that data can only be converted to something useful by decrypting it. It's a straight mathematical function so the only way you'd be at risk is if there was an implementation flaw (1Password uses open source, audited and tested libraries so, while not impossible, this would be unlikely) or the attacker gaining your master password. If you have a weak password then they'll just crack it but if your password is strong then the only weakness lies in your machine (key loggers, memory analysers, that sort of thing). The risks on your local machine apply regardless of the sync solution.
@mikemcm it is, ultimately, your decision but erring on the side of caution can be taken too far. It often becomes an impediment to useful functionality.
0 -
Hi guys,
Thanks for adding more to the discussions here. I do want to mention that we use many of the same encryption protocols that many banks around the world used to protect your money, not to mention gov't using the same for top secret documents. The protocols are stable and has been in used for more than a decade.
In majority of the breaches that we've seen over the past decade are not the result of the encryption being broken but rather social engineering methods (convincing people to give you the credentials), bad bugs in the implementations (underfunded security programs alas Heartbleed/OpenSSL or just in the system's code like XARA just recently), malware infections (you do have to secure your system, 1Password is not the tool to protect your system but rather an isolated set of data) and horrible security policies (using weak salt or no salt for passwords, no encryption, no geolocation limits, no 2FA, limitations on the password and so on). Security is a changing landscape and everyone including us are always working on improving our security standards as well as our implementations.
@mikemcm, let us know what you'd like to do and we'll help you set it up if you need assistance.
0