Posts

Your Master Password is your defense from Dropbox breaches, real and imagined

1Password in DropboxRumors of a Dropbox data breach spread this weekend, a breach that ultimately turned out to be false. But even in instances of false alarms, it is useful to remind 1Password users that their 1Password data cannot be decrypted without the Master Password. So let me take this opportunity to remind everyone that your 1Password data cannot be decrypted without your Master Password. If someone steals your 1Password data – whether from the theft of your own computer or through the breach of a sync service – they cannot decrypt it.

Fact checking

It is worth noting that when a perpetrator of a rumor like this self-identifies as “Operation Troll Security”, it might be worthwhile to double check their claims before jumping to conclusions or even reporting the claims further. This is particularly true if a perpetrator has a history of claiming responsibility for every notable site outage, then laughing at people who believed them. Operation Troll Security doesn’t often tell the truth, but it may be wise to heed one particular tweet:

https://twitter.com/1775Sec/status/421861679631044608

Despite the fact that the claims of a Dropbox breach were a complete hoax, it still is worthwhile to point out some things about the security of your 1Password data if it ever does fall into the wrong hands.

End-to-end encryption

1Password uses what is called “end-to-end” encryption. 1Password on your computer or mobile device encrypts your data with keys that are derived from your Master Password. Those keys are never stored anywhere or transmitted. Nobody, not even us at AgileBits, ever sees those keys or your Master Password. This is why it absolutely essential that you don’t forget your Master Password. We cannot reset it or reconstruct it. Your data can only be decrypted by you.

We designed 1Password this way from the outset because we knew that computers get stolen and services get compromised. By placing all encryption and decryption under your control, we become far less reliant on the security of any sync service.

Protecting Master Passwords

If an attacker does get hold of your 1Password data, the only feasible way for them to attempt Password Based Key Derivation Function diagramto decrypt it would be to try to guess your Master Password. Of course, they wouldn’t sit there typing in guesses. Instead they would run automated password guessing systems against the data.

We have a long history of building mechanisms into 1Password’s data format that make it harder for attackers to guess your Master Password. When we released 1Password 2.5 in 2007 with the then new Agile Keychain data format, we added PBKDF2 so that anyone trying to run automated password guessing systems against captured 1Password data would have to perform lots of slow computation for each guess. You can read more about PBKDF2 and this aspect of our design in an older article of mine, Defending against crackers: Peanut Butter Keeps Dogs Friendly, Too. Many of the details have changed over the intervening years, but the essential concept remains the same.

Toward better Master Passwords

DicePBKDF2 makes it harder for those automating password guessing, but it does have limits. You need to do your part by choosing a good Master Password. Even a small improvement to a Master Password goes a long way. Adding a single truly randomly chosen digit to the end of your Master Password makes the attacker work ten times longer to guess it. Adding a truly randomly chosen word make the attacker work thousands of times longer. Adding two truly randomly chosen words makes the attacker work tens of millions of times longer.

You will note that I emphasized the phrase “truly randomly” a few times there. That part is crucial. People turn out to be very unrandom even (especially?) when they are trying to be random. If you follow our advice in Toward Better Master Passwords, you will see how you can securely pick words at random to add to a Master Password. Hint: It involves rolling dice. It’s fun!

A hoax is a hoax, of course of course

Even though the report of a Dropbox breach was a hoax, you still may ask what role Dropbox security plays in the security of  your 1Password data. I hope that this article helps explain that and how using 1Password can keep your secrets safe. I look forward to further discussion in our forums.

1Password makes it onto the “Dropbox for Business apps” page

Dropbox business apps page

1Password can do wonders for helping businesses secure their data, and Dropbox is a fantastic way for businesses to sync their data everywhere they need it. That’s why we’re honored to find Dropbox listed 1Password on its new Dropbox for Business apps page. We’re among some great company on that page too, like HipChat (which we use here at AgileBits), Yahoo Mail, and IFTTT.

Thanks to the fine folks at Dropbox!

1Password How To: Setup Dropbox sync on iOS

If you’re looking to gets some 1Password sync action going with iOS, this might be the how-to video for you. I show you how to create a Dropbox account and set it up on your iPhone and iPad so 1Password can wirelessly and automatically sync all your stuff, but the basic steps can apply to Mac and PC users, too (don’t worry, those videos are coming).

Let us know what you think of this, because there are more where it came from.

Doing the two-step until the end of time

Enigma machineIn my discussion of Dropbox’s new two-step authentication, I skimped on the cryptography. Because we had to move quickly, I wanted to focus at the time just on our recommendations, so I told a few fibs about how the way the six digit codes “get” to your phone. Now I want to explain how it really works.

Not only that, but I will sneak in a little introduction to Message Authentication Codes (MAC), which plays a major role in our newest version of the 1Password data format. This topic is also worth revisiting because our new release, 1Password4 for iOS, works well with Dropbox’s two-step verification.

Speaking of, let’s start with Dropbox’s two-step authentication system. I did try to warn readers that I was being less than forthcoming about the full truth when I suggested that a six digit code is sent from Dropbox (or Google) to your phone:

There are also some really cool things about how the protocols for two-factor authentication work, but I will bite my tongue and leave that discussion for another day. What this means, however, is that a great deal of what I say in describing the system below is a pack of lies.

Even my word “protocol” could be confusing, as it might imply some network activity. The magic of the system is that anything using this type of Time-based One Time Password (TOPT) tool will compute the same six digit code at a particular time with the initial set-up secret. Dropbox’s login system will calculate the six digit code on its own; and a tool that you use, such as Google Authenticator, will also calculate the six digit code on its own. No network connection is needed after the first time setup.  In my example below, I’ll use Google Authenticator, but it isn’t the only TOPT tool out there.

Initial set up

When you first set up something like the Google Authenticator you scan in a QR code. It might look something like this:Sample QR code for setting up authenticator

The code contains a label that will typically be “Dropbox:your-email@example.com”, and it contains a secret that is randomly generated and unique for each account. The secret might look like “MQZDKZRZGBRWMMZXMI4TCMZUMYYDKYTC”. Putting this inside of a QR code just saves you a lot of typing. If you don’t have a camera that can be used to scan the code, there is even a link for getting the information that you should type in. Scanning this in is the only time that information will be transmitted (in this case, transmitted via your phone’s camera) from Dropbox to Google Authenticator.

Google Authenticator on your phone will keep a copy of the secret, and so will the Dropbox servers. That shared secret allows both Google Authenticator and Dropbox to calculate the same six digit codes when needed.

Counting on time

When you log into Dropbox with your username and password you will then be prompted for the six digit code if you have enabled two-step verification. You will then open Google Authenticator on your phone and you will see six digits. Those six digits are computed from a combination of the the shared secret and the current time. The current time is the number of seconds since the first instant of 1970. It is rounded down to the nearest half minute. This is why the number changes every thirty seconds.

Dropbox website prompting for security codeWhen you enter the six digit code during Dropbox’s login process, Dropbox will perform the same calculation. It has a copy of the secret that was first shared, and it too knows the current time. If what you enter matches what it has calculated, you’re in.

Your phone will not need any network connection as long as its clock is reasonably accurate. Fun fact: your phone actually makes minor adjustments to its clock pretty much every time it connects to any kind of network that allows it to check a time server on the internet. Today, most networked computers and devices know the current time to within less than one 10th of a second.

Because the code depends on both the time and on the shared secret, we end up with a different code during each 30 second period. This makes it a one time password.

Beyond the end of the world (January 19, 2038)

Ancient eunuchs foretold global catastrophe on January 19, 2038, as their long count calendar comes to an end and starts a new cycle from zero

—Anonymous

Aztec sun stone (replica)

Replica of the Aztec sun stone. This has nothing to to with Unix or Mayan time keeping.

The number of seconds since the very beginning of 1970, known as Unix time, is often maintained in a single variable in the computer’s operating system. When Unix was first designed, this number was stored in 32 bit variable. That means that the number could range from 0 to 232. Zero corresponds to the midnight January 1, 1970 (UTC). So what time does 232 correspond to? That will be 3:14:07 (UTC) on January 19, 2038. Bad things will happen then to computers that still are still using 32 bit integers to store Unix time.

So will Google Authenticator stop working in 2038? No, it should be fine. Even though iOS devices – based on 32-bit ARM chips – do just use 32 bit “long” integers, Google Authentication doesn’t rely on that. It uses NSDate to get Unix time on iOS.

Indeed, the actual standard defining the TOPT states:

The implementation of this algorithm MUST support a time value T larger than a 32-bit integer when it is beyond the year 2038.

Another wrinkle in time

Unix Time really is the number of seconds since the very beginning of 1970, but that number ignores leap seconds. Twisted clockLeap seconds are added (or subtracted) on occasion to account for the fact that the speed of the Earth’s rotation can change slightly due to earthquakes, other seismic activity, and even tidal activity (not only do I get to talk about a calendar system reaching its end and resetting, I get to talk about earthquakes and tidal waves in the same post!). A leap second was added at the end of June 2012, so noon (leap second adjusted) on July 1 was actually only 86399 seconds later (by Unix time) than June 30 instead of 86400 seconds later as you would normally get between two days.

The TOPT standard requires the use of Unix time, which is defined to ignore leap seconds. This way, everyone who follows the standard will be using the same clock and calendar. Also, keep in mind that Unix time isn’t just for Unix-based operating system like OS X, iOS, and Android. Windows has a similarly defined FILETIME, which differs in its start time and that it counts in nanoseconds instead of seconds, but it can be converted to Unix time easily enough for use in the TOPT protocol.

Time to meet MAC

Earlier, I said that the code, or one time password, is computed from the secret key and the time, but not just any old computation will do. For the system to work securely, we need the computation to meet some requirements which include:

  1. It must be easy to calculate the code from the key and the time, but it must be completely unfeasible to calculate the key from the code and the time.
  2. It must be unfeasible to predict without knowledge of the key what the code will be at some particular time even if you have observed what the code is at many other times.
  3. The calculation will always give the same result if given the same key and time (it is a function).

These look similar to some of the requirements we wanted for a good cryptographic hash function. And a cryptographic hash function will play a central role in how this is all done.

This also looks as if we are using a shared secret key to create a digital signature on the time. Digital signatures also involve hash functions. But “digital signature” isn’t really the right term here because those are based off of public/private key systems. With TOTP, we have a shared secret.

In place of a digital signature, we have a Message Authentication Code (MAC). This is not to be confused with “MAC” of “MAC address” that you see as hardware addresses for networking equipment, and certainly not to be confused with “Mac” (Apple’s family of computers) or “mac” (the mackintosh raincoat). Maybe this will help keep things clear:

A lowercase mac, for when you need wet wear
And an all-caps MAC is made by software
You’d be just as cool as the great Ry Cooder
If  you never confound these with a Mac computer

One of the ways to use a cryptographic hash to create a MAC is the HMAC. You will hear more about HMAC in the not-so-distant future.

Keeping time, time, time

One consequence of this sort of system is that it makes the computers’ knowledge of the time part of the security system. This isn’t anything new; this requirement has been part of the Kerberos system for decades. Indeed, one of my first roles in system administration was keeping clocks in sync with each other, specifically for Kerberos.

TARDIS

Unfortunately, this means that if someone can tamper with the time signals a computer receives from outside, then they can do damage to other aspects of security. We need systems to verify that the messages they get about the time are authentic, but the less-than-ideal state of secure time synchronization could be the subject for a new series of rant posts. Fortunately, I’ll spare you.

It is also not clear at this point what forms of time travel this or other security protocols can resist. I believe that there is a research paper in this question somewhere for an adventurous student and a flexible professor.

Six digits from 160 bits

Let’s now put all of these pieces together. Dropbox and Google Authenticator each have the shared secret from when you set up your two-step verification. And each know the correct time at the moment. So when each calculate the HMAC of the current time, using the shared secret as a key, they will calculate the same number. If they use SHA-1 for the hash function (as they do in the current system) the number that they calculate will 160 bits long, or roughly 48 digits. The final step is to compute a 6 digit number from that 160 bit number. But let’s save time and skip those final details.

Time for closing remarks

Dropbox’s two-step authentication is a great thing, and 1Password for iOS now works more smoothly with it. But it does the most good for people who are using weak or re-used passwords to log into Dropbox. Thankfully, 1Password users don’t really need to worry about that problem.

Dropbox follows through on password resets

1Password in DropboxHave you been asked to reset your password when you try to log into Dropbox.com? You aren’t alone, and this is all as expected. If you haven’t changed your Dropbox password in a while, you (like me) will be asked to change when you log into the website.

Back in July, Dropbox announced that they would roll out some security changes, including requiring password resets. You can read more about what led to that announcement in one of our countless articles on the dangers of using the same password for multiple sites and services. In that announcement, they listed four changes. Today we are seeing the implementation of the fourth:

In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

It seems like today is the day for this rollout to begin. I and a number of users were greeted with a page like this when logging into Dropbox’s website:

Dropbox password expired page

When you click on the “Send Email” button, Dropbox will send an email to your account address with a link for resetting your password.

If, like me (though against my current, soon-to-probably-change advice), you have enabled Dropbox’s two-step verification system, you will also be prompted to for your six digit code. Once that is done, you will have successfully reset your password.

Is this legit?

When I heard of users being prompted for a password reset on Dropbox, my first thought was that this might be a phishing attempt. That is, a website pretending to be Dropbox might be trying to capture people’s passwords. When I went through the process, I double checked the authenticity of everything that I was seeing. Everything checked out.

SSL lock in Safari location bar The first thing, of course, was to check I was connected using HTTPS and that there were no errors or warnings about that connection. HTTPS is not just about encrypting the communication between your web browser and the web server, it is about the web server proving that it is who it says it is. The quickest way to check this is to look for some kind of a lock in your browser’s location bar. If there is some error, it will be indicated there.

You can always click on the lock to get more details (which I did). But for most people, verifying the lock and that there is no error is sufficient. If you do want to know more about reading the details, one place to start would be in a post last summer about how this system can sometimes fail.

Password reset email from Dropbox

After getting the email, I checked it for signs of obvious forgery. But because I would like to get this article finished this month, I won’t describe how I went about that (I was an email administrator in the previous century). I will just say that everything checked out to the extent that it is possible to check.

SSL lock in ChromeI then followed the link in the email and once again made sure that my Safari really was talking to the genuine Dropbox. That is, I checked to see that I had an HTTPS connection and that no errors were indicated.

After that I rolled up a new password and entered that. Of course I made sure that my new Dropbox password was saved in 1Password. Finally, I was prompted for my six digit verification code as part of Dropbox’s optional two-step verification.Dropbox website prompting for security code

Everything in this process checked out as authentic. I don’t expect that everyone check things as thoroughly as I did, but it is imported to get into the habit of checking that HTTPS websites are who they say they are. The details are different for different browsers, but they all try to warn you if there is a problem with the trustworthiness of a website’s certificate.

Changing passwords for another day

We 1Password users have strong and unique passwords for the sites that we log into. And so the security benefits of password changes are minimal. But Dropbox has no way to identify people who never use the same password on multiple sites, so we will be subject to the same requirement to change old passwords.

I will have much more to say about how often people should change passwords some other day. Quick preview: Once you have a good, memorable, and unique Master Password for 1Password you should keep it for life. For all sites and services, change your password when the administrators of those sites tell you to.

1Password users should wait a bit before trying Dropbox’s two-step verification

1Password in DropboxDropbox has just released a new, optional, two-step authentication process. 1Password 3 (Mac and iOS) and 1Password for Windows use Dropbox for synchronizing your 1Password data across systems and platforms. So anything that has to do with Dropbox security is of interest to us and to 1Password users.

The bottom line is that I recommend 1Password users not be early adopters of this. Early adopters should:

  • understand the data security gains and risks thoroughly (discussed below)
  • take steps to reduce those risks (have great backups), and
  • be very comfortable using pre-release systems

My recommendation does not reflect any criticism of Dropbox’s experimental system. It looks (from my brief exploration) like it is done extremely well. But for the large majority of 1Password users, it’s just a little early to start using their two-step authentication system.

If you would like to know more about the two-step authentication system Dropbox has just rolled out and why I am recommending a “wait-and-see” approach at this point, read on.

Stop trying to scare us away from it. What does it do?

I will return to scaring 1Password users away from jumping on Dropbox’s beta two-step authentication system later in this article. But it will be easier to do so after I’ve outlined how it works. There are also some really cool things about how the protocols for two-factor authentication work, but I will bite my tongue and leave that discussion for another day. What this means, however, is that a great deal of what I say in describing the system below is a pack of lies. I will be describing how things may superficially appear to users, not how it really works.

Dropbox calls their system “two-step verification”, and that is an excellent name for communicating what it does. I will continue to use the term “two-step authentication” because I will need to make use of the more technical term, “authentication”, further on.

Logging in

Google Authenticator

Once you have set up two-step authentication with Dropbox, then every time you log
into Dropbox with a web browser or authorize a new computer or service to use Dropbox, you will be prompted to enter a special six digit code. It will be a different six digit code each time, and the code that you need to enter will be sent to your phone. So in addition needing your Dropbox username and password to connect to Dropbox, you will also need access to your phone.

There are a number of ways that Dropbox can send the six digit code to your phone. I have been testing with Google Authenticator, and so far (I’ve only been playing with this for a few hours), it works as advertised and is easy to use.

Already authorized devices

When you first set up Dropbox on your computer or set up 1Password on your iPhone to sync with Dropbox you do not need to authenticate those again. The ability to connect remains until you take specific steps break that link. Enabling two-step authentication doesn’t break those existing links. So if you already have 1Password on your iPhone syncing with Dropbox, you will not need to enter in a six digit code into 1Password to allow that syncing.

Linking new devices

Dropbox has just released a new version of their desktop software which is capable of dealing with their two-step authentication directly.  This is great for the desktops, but you might find that you need to download the latest version from Dropbox’s download page.  It looks like version 1.4.17 is the first non-beta version that natively supports two-step authentication.

As I mentioned, if you have already set up Dropbox syncing for 1Password on your mobile device it will continue to sync after you turn on Dropbox two-step authentication. If you do need to setup Dropbox syncing from 1Password after you have enabled two-step authentication, there are some additional steps you need to take. I talk about those in a separate section.

What happens when you lose your phone?

The people at Dropbox know full well that people lose access to their phones. It would be terrible if having your phone lost, stolen, or drenched meant that you could no longer get to your Dropbox data. So when you first set up two-step authentication, you will be given a “backup code”. This is a long, random, sixteen character, and impossible-to-remember code. You need to keep this someplace secure because you will need it to reset two-step authentication if you lose your phone.

The obvious place to keep such an important and hard to remember backup code is in 1Password. I set up a Generic Account under Accounts for this and added it as a Note to my Login for Dropbox in 1Password.

Now, suppose you are traveling and your phone gets stolen or damaged. If you don’t have access to a computer or device that is already linked to your Dropbox account, you won’t be able to reset two-step authentication. You won’t be able to access your 1Password data, which in turn means that you won’t be able to access many of the accounts and services you need. At least, you won’t be able to until you either get to the piece of paper where you wrote down your backup code or get to a computer or device that is already linked to your Dropbox account.

Data availability is part of data security

Dropbox’s two-step authentication eliminates one particular risk—someone breaking into your Dropbox account because they’ve discovered your Dropbox password. But it would not, for example, protect against a general Dropbox breach. Also, your 1Password data is already designed to withstand sophisticated attacks if someone does get a copy of it. Thus, the actual security gain for your 1Password data that Dropbox’s two-step authentication adds is minimal. It is of most use to people who have poor password practices and have secret, but unencrypted, data stored on Dropbox.

Data availability is just as much a part of data security as data secrecy. It is the ability to get and use your own data when you need it. For a dramatic case of what it means when people lose access to their own data, consider what happened to Mat Honan. If he had not found a way to get back into his Dropbox account after all of his personal devices and computers were wiped clean, he would have lost all access to his 1Password data.

Because phones can be easily lost, stolen, or damaged, using Dropbox’s two-step authentication increases the risk to data availability. In opting to enable two-step authentication, you are balancing one risk against another. Indeed, most security trade-offs involve balancing one kind of security with another. In this case we are considering a very small gain in protecting data secrecy against a potentially larger, but hard to estimate, risk of losing data availability.

If you insist

If you insist on trying Dropbox’s new two-step authentication process, here are a few recommendations.

1. Be obsessive about data backups

You should have backups of your 1Password data that will:

  1. be recoverable before you have access to your 1Password data. For example, if your backup is encrypted, you will need a way to get to that password before you have restored your 1Password data
  2. be recoverable if your house burns down
  3. be recoverable if your computers and devices are subject to the kind of “remote wipe” attack that Mat Honan experienced

Another way of looking at this is, if you enable two-step authentication, you should not think of Dropbox as a backup system (you shouldn’t anyway for other reasons). I know that I’ve gotten lazier about personal backups since using Dropbox (despite the fact that I shouldn’t). Any such laziness needs to be reversed if you enable tw0-step authentication.

One option is to make a copy of your 1Password data and burn it to a CD. Your 1Password data should include your Dropbox credentials, including the backup code. You may wish to keep a copy of that CD in your car or some location away from your other backups.

2. Write down your Dropbox backup code

Keep copies of the Dropbox rescue or backup code in a variety of places, including on paper. You need this if you lose your phone. And if you lose your phone and have serious loss of access to data on your computers, you will need to reset two-step authentication without having access to what is on Dropbox.

Setting up and using Dropbox’s two-factor authentication with 1Password

To enable Dropbox’s two-step verification, check out this document in their help center. Dropbox wants everyone who uses two-step verification to participate in their discussion forums. You should join that discussion to see instructions for enabling two-factor authentication in the first place. That is where help, updates, and important changes are discussed.

Once you have set things up and Dropbox is working correctly on your desktops, there is nothing that you need to do with 1Password on your Desktop. 1Password on the desktop doesn’t actually talk to Dropbox; it just makes use of what is in your Dropbox folder.

As I’ve mentioned before, if 1Password on your phones or iPads is already configured to do Dropbox syncing, then again, you are all set to go. Nothing changes. Dropbox has already given a token to the 1Password app which it can use for logging in. It is only if you need to set up Dropbox syncing that you need to take a few extra steps:

Step 1: Follow the normal instructions for setting up Dropbox syncing in 1Password on your device. Note that after you enter your Dropbox username and password, the login attempt will fail.

Step 2: Check your email (the email address that is your Dropbox username). You should get some email from Dropbox that looks like thisDropbox 2-step email

Step 3: When you follow the link in that email you will (once you’ve logged onto Dropbox in your web browser) get to a page that looks like thisDropbox one-time password page

Use the one time password presented on that page as a temporary Dropbox password back in 1Password on your mobile device.

Why am I such a downer?

I am delighted that Dropbox is rolling out a two-step authentication system. This is a good thing for Dropbox to be doing. It is particularly beneficial to those Dropbox users who use the same password for Dropbox as they do at other sites though, naturally, I hope few 1Password users are among them.

It is also early days for this feature. As development and experiences progresses, we will come to better understand the risks of data loss and so be able to provide advice better tuned to the actual risks. But until that time, I have to take the most pessimistic view. I wouldn’t be surprised if weeks from now I’d be encouraging pretty much everyone to sign up.

A note on multi-step authentication and 1Password

Multistep authentication has clear and obvious security benefits. So it is more than natural for people to ask why 1Password doesn’t employ it. I’m planning to write a more detailed explanation of our developing thoughts on that, but I would like to take this opportunity to discuss the difference between authentication and decryption.

When you connect to some service, like Dropbox, you or your system has to prove that it really has the rights to log in as you. That process is called “authentication”. It is the process of proving to the Dropbox servers in this case that you are really you. You can do this through a username and password; you can do this through a username, password, and code sent to your phone; you can do this by having a particular “token” stored on your computer. Authentication always involves (at least) two parties talking to each other. One party (the client) is under your control; the other (the server) is under someone else’s control.

1Password, however, involves the 1Password application (under your control) talking to your 1Password data (under your control) on your local disk (again, under your control). This is not an authentication process. So 1Password doesn’t even do one-step authentication. It does no authentication at all. 1Password doesn’t gain its security through an authentication process. Instead the security is through encryption. Your data on your disk is encrypted. To decrypt it you need your 1Password master password.

There are great advantages to this design: Your data and your decryption of it doesn’t require our participation in any way once you have 1Password. But one disadvantage is that the kinds of techniques used for multi-step authentication are entirely inapplicable to 1Password. Those techniques are designed to add requirements to an authentication process, but unlocking your 1Password data is not an authentication process at all. Because there is no 1Password server, there are no (additional) steps we can insist on as part of a (non-existent) login process.

There are approaches that we could take which would approximate the effect of multi-step authentication for what is actually a decryption process. But I will save discussion of those for another day.

Updated on 8/27 to:

  1. Reflect that Dropbox has fully released two-factor verification. When I was writing this article, it was in “beta”. But at about the same time that this article was first published, Dropbox had released released version 1.4.17.
  2. Tell fewer lies about how the second step authentication works. It still pretend that data is transmitted to your phone, but I’ve at least toned down that implication.
  3. In conjunction with Dropbox moving this out of beta and the experience of lots of 1Password users switching over to two-step authentication, I’ve become much more optimistic about when we will feel more comfortable recommending this to 1Password users. I changed my guess of “months” to “weeks”

More than just one password: Lessons from an epic hack

Mat Honan, a 1Password user and writer for Wired, did everything right. He had strong, unique passwords everywhere. Yet he was the victim of an “epic hack”, and had to put a great deal of effort into getting his digital life back.

A very brief account of this Homer-worthy hack is that someone talking to Amazon customer service got into Mat’s Amazon account, from which they were able to learn enough about him to then call Apple’s customer service to get a new password set. Once they had Mat Honan’s Apple ID and password they used Remote Wipe to erase his iOS devices and his Macs.  This has been written about extensively elsewhere, but I would like to talk about this in the context of whether there are useful lessons for 1Password users.

Mat described part of his recover process thusly:

I’m a heavy 1Password user. I use it for everything. That means most of my passwords are long, alphanumeric strings of gibberish with random symbols. It’s on my iPhone, iPad and Macbook. It syncs up across all those devices because I store the keychain in the cloud on Dropbox. Update a password on my phone, and the file is saved on Dropbox, where my computer will pull it down later, and vice versa.

But I didn’t have it on any of our other systems. So now I couldn’t get to my keychain. And so I was stuck in a catch-22. My Dropbox password was itself a 1password-generated litany of nonsense. Without access to Dropbox, I couldn’t get my keychain. Without my keychain, I couldn’t get into Dropbox.

Lesson 1: Some might need more than one password

I love the idea that 1Password allows me to just remember one password, my 1Password Master Password. But some of us may actually want to remember a couple more. Here are the strong, unique passwords that I choose to remember:1Password in Dropbox

  1. My 1Password Master Password for the desktop
  2. My 1Password Master Password on my iOS devices
  3. My Dropbox password
  4. The passcode for my iOS devices
  5. My computer login password
  6. Password for my primary email account

Not everyone will have the same list. Plus, if you use the same Master Password on iOS as you do on the desktop, then your list is of course a little shorter.

What is relevant here is number 3 on that list. I need my Dropbox password in circumstances where I may not have access to 1Password. For example, when I start using a new computer, the first thing I install is Dropbox and the second thing is 1Password. This way, I have all of my 1Password data available to me as I go about setting up subsequent things.

Of course if I always had my phone with me, I could get my Dropbox password from 1Password on my phone, but I didn’t want to count on always having my phone. I’m guessing that this is what Mat did, and he certainly didn’t count on having his phone maliciously obliterated—along with all his other devices—via iCloud’s remote wipe feature.

Fortunately, Mat found a way back into his Dropbox account—turn out he had set up Dropbox on a machine that had not been wiped. So he was able to get to his 1Password data there, and begin to recover his digital life.

Constructing strong, memorable passwords

How do I make good strong passwords that I can also remember? I try to follow my advice in Toward Better Master Passwords. I have yet to follow my own advice with everything, but I am slowly migrating the few passwords that I do need to remember to that system. Indeed, it makes sense to change these gradually so that you are sure to have solidly memorized one new password before creating another that you need to remember.

A few more things I remember

In addition to the passwords that I feel I have to remember, here are a few things that are very convenient for me to remember instead of always looking up in 1Password. I can look them up if I really needed to, but often I need them where I can’t easily get them from 1Password:

  1. My bank card PIN
  2. My bicycle lock combination
  3. My Apple ID password
  4. My SSH private key password

I simply  haven’t figured out a way to copy and paste my bike lock combination from 1Password to the lock.

Lesson 2: Become a backup believer

There are two kinds of computer users: Those who have experienced a catastrophic disk failure and those who will.
— Ancient wisdom, source unknown.

First of all, making backups is essential. Today most people have two options for a backup system. We can go with off-site backups, or we can back up to a local disk. Backing up off-site is great protection if your house burns down or is burgled. You have put your eggs in different baskets. Backup to a local disk has the advantage that you aren’t depending on a remote service that you may not be able to access in an emergency. It is hard to make a case that one strategy is better than the other in general.

Here is something that Mat learned in the process.

I’m certainly a backup believer now. When you control your data locally, and have it stored redundantly, no one can take it from you. Not permanently, at least. I’ve now got a local and online backup solution, and I’m about to add a second off-site backup into that mix. That means I’ll have four copies of everything important to me. Overkill? Probably. But I’m once bitten.

But – and here is another reason to have a memorable Dropbox password – your online, off-site backup system will require a password to access. If you encrypt your at-home backups, those too will require a password to work from. Good backups are important, but you may need to get to your 1Password data before you can restore from a backup.

An old lesson: Don’t reuse passwords

Even if we take good care of our passwords, that doesn’t mean that all the sites and services that we use take the same care. Mat’s case illustrates this fact when it comes to password reset mechanisms, but it can also apply to how passwords are stored and encrypted on sites. Because not everyone handles things perfectly, we need to make sure to use unique passwords for each site and service.

Password reuse strikes again, and a bit closer to home at Dropbox

1Password in DropboxNot so long ago, I wrote about a case where attackers were taking passwords that were leaked from one site to go after users on another. In that case, the target was Best Buy. Today’s case hits a bit closer to home for 1Password users, as Dropbox accounts are being attacked using passwords stolen from non-Dropbox sites. Just as no passwords were stolen from Best Buy, no passwords have been stolen from Dropbox. The passwords were stolen from breaches at other sites and then just applied to Dropbox accounts.

To give you an idea of the dangers of password reuse and how this type of attack works: suppose Molly has an account on chasing-cute-cats.com and that site got breached. Also imagine that the site didn’t store passwords in sufficiently secure ways, so that after the breach it was possible for attackers to actually figure out what many users’s passwords, including Molly’s, are. The attackers now have Molly’s username and password on that site. You might figure that there is little harm done because there really isn’t a lot that people could do with Molly’s account on chasing-cute-cats.com.

But now suppose that Molly uses the same username and password on Dropbox (Molly doesn’t take advice all that well). The attackers can try to log into Molly’s Dropbox account with the username and password they discovered from the breach at chasing-cute-cats.com. This, according to the recent announcement by Dropbox, has been going on with a small number of Dropbox accounts.

Users of 1Password probably don’t need to be reminded why it is so important to have unique passwords for every separate site and service. But because this case of password reuse with Dropbox is such a good reminder, it can’t hurt to talk about it again in the hopes we can all help spread the word.

Of course, even if someone were to get a hold of your 1Password data through Dropbox or some other means, they would not be able to get your usernames, passwords, and other data stored within it without knowing your 1Password Master Password. But this is why we designed the 1Password data format with the knowledge that some people may have their data files stolen. Indeed, just yesterday I wrote (in gory detail) just how well 1Password and your Master Password work together to resist even the most sophisticated password cracking tools.

Irony, spam, and discovery

Mail things this message is spam

One of the accounts broken into that way belonged to a Dropbox employee.
It turned out that that the unnamed (but presumably very embarrassed employee) also had some files that included the usernames (which are email addresses) of some Dropbox customers. Naturally, the attackers did what attackers do when they get a hold of a bunch of email addresses: they passed (presumably sold) that list to spammers.

Again, it was only the email addresses that got taken; not passwords. But then, spam went out to a number of Dropbox users, some of whom had set up site specific email addresses. For example, Patty may have created an email address patty+dropbox@example.com that he used only for Dropbox. Nobody knew or ever saw that email address except for Patty and Dropbox.

But if Patty+dropbox@example.com was among the email addresses stolen and passed on to spammers, Patty would start getting spam to that address. Patty, being the clever one, would realize that somehow her Dropbox email address had been captured. She might even complain to Dropbox about this, along with a few others who have suddenly seen spam to their Dropbox-only email address.

And now we arrive at the beginning of the story. It was exactly complaints like this that led Dropbox to bring in an outside security investigator to look at the spam issue back on July 18.

What have we learned and what is there to do?

Molly is afraid of ThunderFirst of all, we have been reminded yet again that Molly is not as clever as she thinks she is, while Patty shows an abundance of caution (sometimes too much). Now, regular readers of my posts will know that Molly and Patty are my dogs. Molly, while incredibly sweet, wins few prizes for intelligence. Patty is much brighter, but is always on high alert and will fire off a warning bark if a molecule moves across the street. There is a lesson somewhere in here about learning to be cautious about the right things. Panicked people (and dogs) tend to make poor security decisions, but that discussion is for another time. All we need to say here is that Molly, as presented above, needs to have a unique password for each site.

Patty barks at everything

We are also reminded that one site’s security is dependent in some ways on other sites. The operators of chasing-cute-cats.com might think that they don’t need to be particularly careful with their users’ passwords, but they are wrong. As long as people (or dogs) reuse passwords, it is the responsibility of everyone who stores passwords to store them in uncrackable forms.

Furthermore, because so many websites and services are storing passwords poorly, we all need to act as if our website passwords are stored poorly at each site. As we’ve been reminded by an ongoing case involving Tesco (a large UK grocery chain and retailer in the UK and Europe), its generic statements like “passwords are stored in a secure way” are meaningless unless we are told how they are encrypted.

How many passwords do I need to remember?

I would love to be able to say that with 1Password you only need to remember your 1Password Master Password. It’s in the name. 1Password does the job of remembering all of the other non-memorable passwords. After all, Troy Hunt is largely right when he says that the only secure password is the one that you can’t remember. But the first thing I do when I set up a new computer is install Dropbox to sync my 1Password data, and then install 1Password. There are times when I need to know my Dropbox password in order to be able to use 1Password. So, despite the name, I actually need to remember two strong, unique, and, this time, memorable passwords.

Fortunately, you and I can use the mechanism described in Toward Better Master Passwords to be able to manage the very few passwords that we actually need to remember.

OAuth, Dropbox, and your 1Password data

1Password in DropboxA number of iOS apps, including 1Password, have a security problem in how they handle OAuth tokens. 1Password 3.6.5, which was submitted to Apple several days ago, fixes this. This will be a free update for all owners of 1Password for iPhone, 1Password for iPad, and 1Password Pro (for iPhone and iPad). We can’t predict how long Apple’s approval process will take, but the update should be available soon, if it isn’t already by the time you read this.

Because of this bug, someone who gains physical access to your device may be able to copy authentication tokens off of it, then install those tokens on their own device to access your Dropbox data. It is not entirely clear at the moment under what circumstances an attacker will also need the device passcode. It appears that if the device has previously been synced with the computer the passcode isn’t required. In any case it is important to protect your iPhone, iPad, or iPod Touch protected with a good passcode.

We have been extremely careful in how we store your Dropbox username and password for automatic syncing, but like many others, we didn’t take the appropriate precautions when it came to OAuth tokens. These tokens allow quick connection to Dropbox (Facebook and other services also use OAuth). Of course, any 1Password data that an attacker fetches from your Dropbox account is still encrypted by 1Password.

In 1Password 3.6.5, which we submitted to Apple at the beginning of the week, we store OAuth tokens securely in the iOS keychain, where they are properly encrypted and cannot be copied to other devices. However, if other apps that use Dropbox have the same problem (and it looks pretty common), then OAuth tokens can be copied from those apps as well.

The OAuth problem

The problem of how OAuth tokens are stored was first discussed Tuesday (April 3) by Gareth Wright reporting on the Facebook iOS app.OAuth logo Since then, it became clear that the Dropbox app itself has the same problem. Presumably there are many other apps that connect to services like Facebook or Dropbox that are unfortunately in the same boat.

Dropbox have told The Next Web that:

[Our] Android app is not impacted because it stores access tokens in a protected location. We are currently updating our iOS app to do the same.

Facebook’s initial statements have been less clear, but no doubt they will be submitting a fix soon.

For one of the best discussions of this whole thing, please see the report and analysis by The Next Web.

What this means for you and your 1Password data

1Password Pro iconThis design problem, both in versions of 1Password prior to 3.6.5 and in other apps, means that it is easier for an attacker to get hold of and manipulate your 1Password data stored on Dropbox than we had anticipated. I used to say that it was far more likely that someone could get hold of your 1Password data by stealing your Desktop computer than by getting it off of Dropbox. I certainly have to revise that assessment.

The good news is that your usernames and passwords  (along with notes and attachments) are well encrypted. Even if someone gains full control of your Dropbox account they will not be able to get at the secrets encrypted in your 1Password data. We have also been busily working on an updated version of our data format that is even better suited for life in the cloud.

You can also manage which devices are allowed to connect to Dropbox. That is, you can instruct Dropbox to reject certain OAuth tokens and also view the the last few times each authorized device has connected.

To manage your Dropbox devices, log in to your Dropbox account with a web browser, and under your account name, go to Settings and then “My Computers”. If you suspect that an OAuth token has been stolen, you can unlink the computer or device. After that you will need to relink the computer or device to your Dropbox account using your Dropbox username and password.

Alternatives to Dropbox

Every time there is a security issue with Dropbox, people rightfully suggest that we offer alternative syncing mechanisms. At this point, there is nothing that I’m in a position to say beyond what we’ve said earlier in “Dropbox Terms“. There are developments, but nothing I am even willing to hint at just yet.

More security changes to come in 3.6.5

The changes coming in 3.6.5 are all about security and bug fixes. Please see “1Password 3.6.5 for iOS is out with PBKDF2 goodness!” for details.

Appendix: When is a passcode required for this attack?

When an iOS device is connected to a computer that it hasn’t connected to previously, the user will be prompted to enter the passcode on the iOS device. After that first connection, the computer will store some keys that will allow it to unlock the iOS device for future connections.

So once you have unlocked your iPhone for a particular computer, when you plug it in later, you do not need to unlock it for the file system on the device to bevisible to tools like iExporer. This is presumably why initial reports of this issue claimed that no device passcode was necessary to extract the files containing the OAuth tokens.

There is, unfortunately, one further complication. iTunes will automatically unlock the device for any user account on the same computer that the device has previously been unlocked on. That is, if Alice and Bob both have user accounts on the same Mac, and Alice has at one point entered the her passcode on her iPad to allow syncing, then Bob will be able to gain access to most of Alice’s iPad simply by using iTunes in his account on the Mac. What is worse is that Bob’s account on the computer can also be a guest account, and he will still have access.

All of the testing I have done has been with iTunes 10.6.1 on Mac OS X 10.7.3 (Lion). I have not tested this with iTunes on Microsoft operating systems.

What is worrisome here is that exactly the same people (co-workers, family members) who have the easiest access to your iOS devices are very likely to have some account on the same computer that you have used.

Still, passcodes do matter so please remember that a good device passcode is a good idea.

Data protection classes

As of 1Password 3.6.5 we put the OAuth information into the iOS keychain using the “ThisDeviceOnly” data protection class that will not allow the OAuth token to be copied from the device unencrypted. There is a bit of terminological muddle in that “ThisDeviceOnly” and “ProtectionComplete” mean the same thing except that the former is used with keychain items and the latter used with files. I prefer the term “non-migratable” to cover both.

The application property lists files, plists, contain app preference settings, and this plists do not have the non-migratable restriction on them; they are fully accessible once the device has been unlocked. Note that data with the non-migratable restriction  cannot be restored from an iTunes or iCloud backup to a different device. So if you replace your iPhone or iPad, you will need to re-enter your Dropbox credentials to reestablish automatic syncing.

Please join the discussion of this on our forums.

1Password 3.5.12 is out for Leopard users!

Leopard logo

Ok Leopard users, this update is just for you—literally! Last month we released huge updates for Snow Leopard and Lion Mac users and Windows users, and now we have something special in store for those of you who are on Mac OS X 10.5 Leopard.

1Password 3.5.12 is available now specifically for Leopard users, and it brings a couple of key additions. First up is support for Firefox 5 on Intel-based Macs. Why does our Firefox 5 support only work for Intel-based Macs, you ask? Mostly because, with version 5, Mozilla went Intel-only with Firefox.

The other big change in 1Password 3.5.12 for Mac involves Dropbox, and this one is for both Intel and PowerPC users on Leopard. Dropbox has an upgrade coming that makes some big changes under the hood, especially in regards to protecting some of its key database files and allow applications like 1Password to figure out where your Dropbox folder is. We worked with the company to support these changes and maintain a smooth experience for 1Password users. These changes arrived in our aforementioned updates last month, and now Leopard users will be prepared for Dropbox’s upgrade when it arrives.

As usual, if you’ve had your fill of cute cat videos and hyper-stylized photos for the day, you can read our full list of changes in 1Password 3.5.12 on our versions page. Leopard users who want to update can go to 1Password > Check for Updates.