Security of storing 1Password data in the Cloud

Your secrets in your 1Password data are safe wherever they are stored. Although we don’t recommend making your 1Password database publicly available to the world, we have designed it so that your username and password data (along with other secret data stored within it) is protected no matter whose hands they fall into. For this and other reasons we are very confident when we recommend cloud syncing of 1Password data with Dropbox. The remainder of this document goes into increasing detail about the security measures in place and issues surrounding them.

Here are some key points you may read about below

  1. Your master password is never transmitted from your computer or device.
  2. All 1Password decryption and encryption is performed on your computer or device.
  3. The 1Password data format was designed to withstand sophisticated attacks if it fell into the wrong hands.
  4. Dropbox provides an additional layer of encryption.

Overview

When we first designed 1Password we anticipated that some users would have their computers stolen. The same security measures that we we built into the design of the Agile keychain for dealing with the theft of a computer also keep your private data safe should cloud storage be compromised. As we are actively promoting cloud syncing through Dropbox to provide automatic syncing among all your computers and devices it is useful for us to describe these security features and why we feel that storing your 1Password data in the Cloud is safe.

This article focuses on the security of your data stored in the Cloud. We have a separate document discussing the security of the sync process, which explains – among other things – that your master password is never transmitted. All 1Password decryption is done on your own device or computer.

We believe that Dropbox is a secure hosting environment. Although it is impossible to estimate these sorts of things, we strongly suspect that there is far less of a chance of your data being stolen from Dropbox than there is of your personal computer being stolen with your 1Password data on it. Our data format is designed to protect you in the event that your computer is stolen, and by the same token, protects you from the even less likely event that Dropbox becomes compromised.

If your 1Password data are captured, the encrypted information is secured from any attack which professional cryptographers and security experts can imagine. However, some information among your 1Password data is not encrypted. The unencrypted information is includes the web locations (URLs) and the Titles you give to items. The unencrypted information available is similar to the information available from web browser bookmarks. Although we may not be comfortable with that information being compromised it is not a significant security risk for most people.

Dropbox security

When assessing the security of data stored on Dropbox (or anywhere else) there are two general questions. We need to consider the vulnerability of the data to someone working from outside of Dropbox, but we also need to consider the possibility of an insider attack.

Dropbox makes use of Amazon’s S3 data hosting. Amazon has provides a overview of their security process. As an additional layer of security, Dropbox adds its own encryption of the data. As a consequence a successful attack on Amazon’s S3 hosting service (either from within Amazon or from without) would not expose any data stored using Dropbox.

Probably the weakest link in Dropbox’s security will be user passwords. In particular, users who use the same password on multiple sites are at the most risk. However, if you are reading this document you already know better than to do that.

Some concerns have been raised about how Dropbox stores authentication tokens on your computer. If someone gains access to your computer, even briefly, they can steal what almost amounts to a special password that is used for syncing. To what extent this constitutes a meaningful threat is still being debated. Dropbox founder Arash Ferdowsi along with others has correctly pointed out that if someone has enough access to get this authentication token then the will already have access to what is stored in your Dropbox folder on that machine. Furthermore, if someone malicious gains access to your computer they can usually install malicious software that fully compromises everything that is done on that computer. Others are arguing that there are plausible scenarios where this design element could be the best avenue of attack.

Given our other protections in 1Password, plus the arguments presented by Dropbox in defense of their design, we do not believe that this posses a significant risk to 1Password users syncing with Dropbox. However we are paying close attention to developments and discussion as well as looking for ways to make your 1Password data even more securely protected than it already is.

Another concern that has been raised about Dropbox security has no impact whatsoever on 1Password users. When syncing to mobile devices, Dropbox does not encrypt the file names of the files that need to be updated. 1Password filenames are random and contain no sensitive information.

The Dropbox security FAQ states that “dropbox employees aren’t able to access user files, and when troubleshooting an account they only have access to file metadata (filenames, file sizes, etc., not the file contents).” However, we know that Dropbox as a whole can undo their own encryption from this statement in their privacy policy: “If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.” So while Dropbox may limit what individual employees can get at, thus dramatically reducing the scope for an insider attack, we do need to keep in mind that user data files stored on Dropbox are in principle accessible.

Despite these concerns, Dropbox does provide basic security precautions including using SSL for transmitting content and providing their own separate layer of encryption server side. When this is taken in combination with 1Password’s own encryption (the topic of the next section) we remain comfortable recommending Dropbox syncing of 1Password data.

Agile keychain security

The design and security of your 1Password is described elsewhere. In short the encrypted material within the Agile keychain cannot be decrypted by all of the computers on the planet working in tandem for many times longer than the age of the universe. We make use of the OpenSSL libraries to provide algorithms, protocols and implementations of our encryption. These are developed and maintained by a wide, open, community of experts. In our choice of protocols, we rely on the recommendations of that expert community. We also understand that just as important as the choice of encryption algorithm and cipher mode is the choice and design of protocols.

Key strengthening

One of these protocols that is worth mentioning at this point is the use of the key strengthening function PBKDF2. This protects your data against password guessing (password cracking) programs in a number of ways. Before we can explain how that works, you need to know a bit more of what 1Password does when it decrypts your data. Your data is not directly encrypted with your master password. Instead it is encrypted with a random 128-bit number that was picked when 1Password first created your Agile keychain. That 128-bit number is your true decryption key. This key, in turn, is encrypted using your master password.

The computation (AES-128) to get from your decryption key to your data is designed to be quick; but the computation (PBKDF2) to get from your master password to your actual decryption key is designed to be slow. This means that when you enter in your master password you have to wait a fraction of a second. That fraction of a second, however, makes it enormously harder for automated guessing programs. Without PBKDF2 well designed automatic password guessing programs can try millions of passwords per second, but with this key strengthening this is reduced to a few hundred per second. Another consequence of this system is that even if two people use the same master password, they will have different encryption keys and so their data will be encrypted differently.

Unlocked vaults or unlocked boxes.

The keychain design document makes it clear that some data are not encrypted. This section elaborates on why that is the case and why we feel that this is the correct choice.

To better understand what information is and isn’t encrypted in your 1Password data some background is required. This will involve a change of metaphor for how to think about what it means when your data are locked or unlocked.

For your security, 1Password decrypts as little information as possible at any given moment. 1Password presents itself to the user as either “locked” or “unlocked.” The impression someone might get from this is that when 1Password is unlocked, all of the information is suddenly decrypted. This, however, is not how 1Password really works. A system like that would suffer from having far too much of your sensitive information decrypted in computer memory or worse written to disk. 1Password gets around this problem by only decrypting the particular item you need at any given time and then forgetting that information when it is no longer needed. So instead of thinking of an unlocked state as a vault with all of your information being open, it is better to think of things differently.

Imagine, instead of a vault that is locked or unlocked, a room full of locked boxes. Each box requires a key to open it, the same key. When you have entered your master password, that key is available although all of the boxes still remain locked. At various times 1Password will select a box and unlock that particular one. When it is done with the contents of that box, it will lock it again.

When you go to a login page, say http://www.example.com/Login.php, 1Password needs to find all of the boxes that could potentially be a Login for that location. It also needs to present you with a list of those potential Logins so that you can choose among them. Conceivably (but incorrectly), 1Password could go and unlock each box in the room looking through their contents to determine which ones are potential matches. But that would take a very long time. Opening a single box doesn’t take any noticeable time, but opening all of them would be prohibitively slow.

What we have done is put labels on the outside of each box. The labels contain, most importantly, the web location associated with that Login and the title that you gave to that Login. This way 1Password can scan the locations quickly without having to unlock any boxes. It can then present you with the titles of the ones that are potential matches. Once you select to fill with a particular login will 1Password unlock the particular box.

The downside of this is that 1Password must keep the titles and the web locations unencrypted in your data. The good part of this strategy is that 1Password can still be used to match individual web pages and it does not have to keep all of your username and password information decrypted, which would be far worse from a security point of view. As we develop 1Password further, we are exploring ways to have it work with all data encrypted. We expect to have a new data format in which all data are encrypted prior to the release of 1Password 4.

The information which 1Password keeps decrypted in your data is very similar to what you may have in a browser bookmarks file. In addition to the location and title are tags, Folder, password strength, creation time, and last modify time. Any of the fields that can be used for sorting or arranging the display of your items in the 1Password app are not encrypted. Everything else is.

It is important to remember that even that information is only available if someone captures your 1Password data file. That would mean either Dropbox becoming compromised, your own computer becoming compromised, or the SSL communication between your computer and Dropbox becoming compromised. The first and the last of those are the least likely. As we said at the beginning of this article, 1Password was designed with the knowledge that some users would have their computers stolen. We do not believe that syncing to the cloud via Dropbox diminishes the security of your data in any meaningful way.

Some final words

We present this information here so that you understand what is happening and make your own choices. You are in control of what happens with your data, but the ability to conveniently and reliably synchronize your data across a variety of systems makes it necessary to use some third party storage. We strongly feel that having your 1Password data security available to you on your Macs, PCs, iOS and Android devices makes you more secure in meaningful and practical ways on a day to day basis. All of us at AgileBits happily use Dropbox. We believe that in the vast majority of cases data are safer there then they are on your own computer, and we have designed 1Password’s data format and encryption protocols to protect you against theft of that data no matter how that theft may take place.