Dropbox Security Questions

Dropbox and 1Password are just awesome together. So when questions arise about Dropbox security we pay very close attention to what it means for our users. We owe it to ourselves and to our users to examine these and adapt and modify our recommendations accordingly. 1P in Dropbox icon

The bottom line is that there is no need to panic about Dropbox security. The issues that have come up all do raise very legitimate concerns about how Dropbox presents their security claims and addresses issues when they arise, but the actual issues are not nearly as serious as some of the the discussion would suggest. They are even less of an issue for 1Password users. Your sensitive information in your 1Password data is extremely well encrypted and we remain comfortable recommending syncing with Dropbox.

The Issues

We discuss these issues in more detail in our cloud security document, but very briefly:

  1. When syncing with mobile devices, Dropbox does not encrypt the file names. (File contents are encrypted.)
  2. On desktops, Dropbox does not protect its automatic login token as well as might be expected. They have made improvements in the most recent update and promise more to come.
  3. Contrary to what was stated in the Dropbox security FAQ, Dropbox employees are capable of removing Dropbox’s own encryption on your data. Dropbox have now clarified and corrected the original statement. They take steps to limit what individual employees can decrypt, but the capability to undo Dropbox encryption remains with Dropbox.

The Upshot

Because our filenames are arbitrary, issue #1 has no effect on 1Password security.1Password does its own encryption, so removing Dropbox encryption (issue #3) is not really a problem for mobile 1Password users. If you are using Dropbox on mobile devices for things other than 1Password, then you should be careful not to include sensitive information in your file names.

Issue #2 is something that is faced by any system that involves automatic login without user intervention. Some secret token must be stored on the client computer which is used for automated authentication. There was substantial room for improvement in how Dropbox handles these tokens, but we are happy to report that they have already made important improvements and promise more, saying:

Last week’s update to the Dropbox desktop application already sets more restrictive permissions on the folder that stores the authentication file. We are also working diligently on a solution that will make the authentication file useless on a second computer.

This, of course, means that if you haven’t updated Dropbox on your desktop recently, it is time to do so. The most recent version of Dropbox for 1.1.24 (April 15) for Mac and Windows.

Issue #3 is largely the result of Dropbox stating something unclearly in their security FAQ. They have apologized for the confusion and have clarified to some extent what employees can and cannot do. Here is their statement:

In our help article we state that Dropbox employees aren’t able to access user files. This is not an intentionally misleading statement – it is enforced by technical access controls on our backend storage infrastructure as well as strict policy prohibitions. The contents of a file will never be accessed by a Dropbox employee without the user’s permission. We can see, however, why people may have misinterpreted “Dropbox employees aren’t able to access user files” as a statement about how Dropbox uses encryption, so we will change this article to use the clearer “Dropbox employees are prohibited from accessing user files.”

Although the 1Password data format is designed to withstand sophisticated attacks should it fall into the wrong hands, we still wouldn’t want the bad guys to get a hold your 1Password files as data needed for indexing, searching and matching is not encrypted. (See our cloud security document for details). Because of this, along with other reasons, we are continuing to watch the situation with Dropbox very carefully.

Over the past week, there has been terrific discussion on our forums regarding Dropbox security and its relation to 1Password. It’s a great place to share thoughts and ideas on this matter. Please join us there.

The Future

In a forthcoming blog post, I will be talk a bit more about how security is an on-going process and more specifically what we are working on to make the 1Password data format even better protected as it lives its life in the cloud.

7 replies
  1. cs
    cs says:

    It would be great if 1Password allowed you to use a keyfile in addition to a passphrase to encrypt the database. So if someone got a hold of your password db, it wouldn’t be a matter of cracking some human rememberable passphrase, but would require significant computing power for large key. Currently I do this with Keepass + dropbox, and store the key only on my local systems that I access the database from, it’s never stored on dropbox.

    • Jeff
      Jeff says:

      Hi cs,

      Yes indeed. Your actual decryption key is a random 128-bit number encrypted by your master password using PBKDF2. PBKDF2 makes it much harder for an attacker to run a brute force attack against your master password.

  2. Curbed
    Curbed says:

    I’m concerned by the Dropbox issues of late. It was an extra layer of protection for files, but now it seems that layer has been reduced and we’re just relying on the 1Password AES. Any plans or ideas of creating an Agile Syncing solution for 1Password so you don’t have to rely on a 3rd party service?

  3. Mosurft
    Mosurft says:

    Mabye you could add support for different cloud services like Wuala to 1Password (especially on the Mobile Devices!). Wuala offers more Security and there are also clients for iOs and Android available.

Trackbacks & Pingbacks

  1. [...] Naturally, when I heard that the complaint had been filed I had to read it closely. After all, the security of Dropbox is of great concern to us all. So what did I find? I found that every security issue mentioned in the FTC filing was something that we had already looked at. I discussed all of these points in earlier posting. [...]

  2. [...] Its increased popularity has increased its scrutiny, and there have been security problems discovered.  Agile, the makers of 1Password, have posted their opinions here. [...]

Comments are closed.