
Use "App folder" access type instead of "Full Dropbox" - kobayashi
https://discussions.agilebits.com/discussion/comment/348508/
======
res0nat0r
I feel sorry for companies these days who have to continually respond kindly
(for years in this case) to unreasonable customer demands via forums/facebook
even when they've clearly stated why things are configured the way they are
and changing that will break functionality for tens of thousands of people.

Some companies after a while just need to start following the Wendy's Twitter
account model where they start just telling folks like it is after they've
shown they aren't going to be reasonable.

~~~
stupidcar
I feel bad for users who have to deal with supposedly-security minded
companies who cite weak, historical reasons for not doing the right thing
_now_.

Companies who ignore the actual solutions proposed to them, and instead attack
a straw-man. Claiming they're being asked to make backwards incompatible
changes for all existing users, instead of providing an an opt-in alternative
for users who actually care about their security.

Companies whose culture is so inept that they blindly commit the most basic of
engineering fallacies: Rejecting solutions on the basis of minor flaws, while
defending a incumbent solution with _massive_ flaws, simply because it is
incumbent.

~~~
Terretta
Are users' Dropbox creds (password, optional 2FA) in 1Password?

Do you see AgileBits' point about that?

If your own creds are able to use more than the app folder, and if your threat
is Agile Bits binary, the 1P app folder permissions will do nothing, the evil
binary will just use your full creds.

Sounds like clamoring for them to reduce a bunch of use cases in service of
security theater.

~~~
hartator
AgileBits is doing the wrong thing here.

Dropbox full access is stored on their servers and it's in clear text. Dropbox
regular login/password is also stored on their servers, but encrypted via a
remote master key.

If AgileBits is compromised, they can access all your DropBox files. Attackers
still can't access regular login/password because of the lack of master keys.

~~~
alphabettsy
Almost everything you just said is incorrect.

You don't even enter your dropbox password into the app unless you're storing
it as a credential, they present an authentication dialogue for the dropbox
API just like all other third-party apps accessing Dropbox and store the OAuth
key on the client. Not the server. That's why you have to re-authenticate with
dropbox on every device you want to set up 1Password sync.

~~~
nikolay
Okay, but this still makes device able to access my entire Dropbox, which is
insane!

------
jzl
I'm trying to understand this comment in the post:

 _As it stands now, if you are compromised, whether through a hack, state
action, or even a disgruntled employee, you will expose the full contents of
tens of thousands of Dropboxes, a monumental security nightmare for your
company._

Does 1Password have a web-based interface where you authenticate against
Dropbox and it stores the credentials server-side? I didn't think it did but
I'm not super familiar with 1Password.

Otherwise the only attack vector is a compromised 1Password application,
right? Not saying that's impossible, but if you are opening scenarios to that
line of attack then _many_ more worse things could happen even if the app
didn't have outright Dropbox credentials.

~~~
nodamage
I'm confused too. To my knowledge Dropbox credentials are only ever stored on
the client. If the 1Password client is compromised (presumably meaning the
installer download is hijacked like what happened to Transmission), your
Dropbox files being compromised will be the least of your worries.

------
jhgg
Perhaps I'm a bit dense here, but in the proposed attack scenario, couldn't
the compromised 1Password application just send all passwords to a malicious
server when the vault is unlocked - and assuming you have your Dropbox
credentials in your 1Password log in and take your files anyways?

~~~
akerl_
A compromised 1Password on a Mac could just read the contents of ~/Dropbox and
fling it at a remote server, bypassing any Dropbox API perms entirely, even if
the user of the system was using non-Dropbox syncing for their 1Password
Vault.

Not that the problem is localized to 1Password: any non-sandboxed app could do
that, given the default system configuration.

~~~
nodamage
A compromised 1Password application on a Mac can read a lot more than
~/Dropbox. I'm not sure why this problem is specific to Dropbox? Nor why
changing the permission would materially change anything? Am I missing
something?

~~~
akerl_
Nope, your understanding is correct. That's why I'm not very concerned about
the lack of "App folder" access strategies.

------
marklawrutgers
For non-enterprise users, Dropbox's encryption is basically meaningless. If
you have sensitive information you want to store in Dropbox, Google Cloud,
iCloud, etc., I'd recommend using something like Cryptomator:
[https://cryptomator.org/](https://cryptomator.org/) to encrypt files on the
client side before uploading to "the cloud". It's open source for security
experts to look through it and free for desktop OSs. I think they just charge
something like 5 bucks for the iOS and Android apps.

For alternatives to the popular cloud services for the privacy conscious,
there's a good list of open source projects and products on
[https://www.privacytools.io](https://www.privacytools.io)

~~~
nipunn1313
This is not an all or nothing issue. For example, if you store sensitive
videos, but rely on Dropbox's ability to transcode and preview the video in a
web browser, then something like Cryptomater would not make sense. Encrypting
on wire/at rest is the best you can do unless you run the transcoding
yourself.

Dropbox could support both modes, but the company has obviously made a
decision to prioritize one over the other (at least for now).

------
newscracker
> The alternative solutions aren't great. $36 a year to store a couple
> megabytes of data is outlandish. If you'd like to transition us to this from
> Dropbox, the price must be drastically reduced.

I've found AgileBits a bit weird in some of the decisions. It's clear that
selling a password manager for $65 is no longer working well for the company,
and so the subscriptions were introduced (IIRC, shared vaults exist only in
the subscription). But as the OP says in the forum post, the subscription
prices are quite high from a value standpoint when people have been using
Dropbox or iCloud or something else all along. I've seen that AgileBits is
also a bit slow to learn from customer feedback (like the MAS-only fiasco a
few years ago). As more and more apps move toward a subscription model than a
one-time pay-for-a-major-version model, I foresee more customer backlash on
prices.

Edit: This backlash against subscription has already happened on the app store
for Facetune and Infuse, to name two apps.

~~~
jasonpbecker
As someone who buys this for every employee at his organization, I couldn't
disagree more.

It's a huge deal that I can control who shares and sees what vault, turn off
an employee's access as soon as they are leaving the company, revoke tokens,
etc.

Before this we were using Dropbox and it was a nightmare. Credentials for a
bunch of things were mixed up in the wrong vaults, far more duplication,
revoking access was more of a pain, etc.

1Password for a family sharing may not be worth it, maybe not even for a small
5 person shop with a very stable set of employees who are all savvy. But with
25 or so people with varying level of technical expertise and actually
critical information being shared, 1Password's subscription is a godsend.

~~~
halostatue
I have 1Password for family sharing (the online service), and it’s _totally_
worth it. I’ve been a 1Password user since the AgileBits blog was the
“Switcher’s Blog” and have bought every version they have released for Mac and
iOS because it does exactly what they say it does, and they review their
security pretty regularly. (It helps that I’ve met people on the team, but
that‘s a secondary matter.)

For US$48 per year (I have the launch special, but it saves me $12/year), I
have four people currently signed up (I could add three more; again, the
launch special gives me two extra) where we can share passwords. I also have
any major version of the software released now for any platform.

More importantly, I have been able to get my parents on 1Password _reliably_
in a way that if they are incapacitated, my brother or I can use their
accounts to make sure bills are paid when they should be (at least, that will
happen when we have all of their accounts added to 1Password, but that’s a
relatively small thing now). This is important because neither I nor my
brother live near my parents (I’m in a different country). The software
versions? Pretty important: I’m on Mac and iOS; my brother is on Mac and
Android; my mom is on Windows and iOS; and my dad is on Windows and iOS and
Android. Keeping those up-to-date with major versions would eventually get
more expensive than the peace-of-mind that I have now.

LastPass does all of this cheaper at scale for companies ($2.40–$4/user/month)
than 1Password ($4–$11/user/month) but the UX for LastPass is abysmal
(although it does have a dedicated Linux client for those who need that)…and I
honestly don’t trust LogMeIn at all. The other one that I have any opinions
about is Dashlane, and it’s second/third-hand that it’s pretty good software
(I haven’t used it because I’ve integrated 1Password in my workflow so
deeply).

Yes, 1Password for families is worth every penny I pay.

------
AdamN
If you're security minded, don't use Dropbox for syncing (or at all - it's
kind of a mediocre service these days).

~~~
growse
Annoyingly, 1Password don't support syncing opvaults from an arbitrary
location on the filesystem to allow you to use Syncthing. It's literally the
only reason I still have a dropbox account.

~~~
nucleardog
It does... That's how I've been doing my syncing.

All my 1Password vaults are kept in my ownCloud account. Even works fine on
Android where I use an app called FolderSync to keep my vault synchronized on
my phone and have added it to the 1Password Android app.

~~~
neosynthesis
i was trying this too. I've setup my own cloud and i only wanted local lan
sync but i'm not able to sync to my 1password android.

may i ask: on the android app, where are you keeping the opvault file? when i
pointed the android app folder sync to the opvault folder downloaded to my
android phone, it said 'no vault found'. are you using the old keychain file
format?

thanks kindly

------
nipunn1313
The oauth tokens are stored on the client.

In order to exploit the suggested privilege escalation, you would need to
exploit the client to feed you the oauth code. If you are exploiting the
1password client, you can do ANYTHING (including grabbing passwords after you
unencrypt, reading filesystem, popping up a PWNED dialog). I don't think this
effort should be urgent for 1password.

This recommendation doesn't make me feel meaningfully safer

(unless 1password has some clever process jailing inside their code to isolate
the decryption component from the cloud component)

------
alphabettsy
The point is that it would break features for many users in exchange for
security theater.

Limiting the access of Dropbox is all well and great except that it breaks
sharing, which many people use, in exchange you simply move the files to
another folder on the same Dropbox which effectively does nothing.

Slightly off topic, but Who stores senstive files unencrypted in Dropbox
anyways?

~~~
Pharylon
I do. I keep my backup 2-factor authentication code for gmail in my Dropbox
folder.

Access to my Dropbox account would compromise my gmail account (and vice
versa, since I keep my backup Dropbox 2-factors in Google Drive). I consider
these two accounts my most sensitive/critical accounts for that reason. Could
I encrypt the files in Dropbox? Sure. But that would make it more difficult to
get to those backup keys (I might be reading them off a text file from the
Dropbox app on my phone, for instance).

Has this happened often? No. Like, literally once. But it has happened, and I
need to be able to recover my backup 2-factor codes.

~~~
alphabettsy
This is the whole purpose of using a password manager. 1Password is capable of
providing OTP codes instead of something like Google Auth. Obviously this
makes 1Password a single point of failure, but that's true of password
managers in general anyways since people usually put all of their sensitive
things into them. At least with 1Password you can isolate items into vaults.

------
robocaptain
Just curious what the general consensus of 1Password is here on HN? I am
especially interested to hear from people that are actually using/paying for
the cloud hosting (their servers).

~~~
nilved
Trusting someone else with your passwords is playing with fire.

~~~
karmajunkie
The alternative is trusting ME with all those passwords, which is far more
dangerous. Because I'm neither going to do a good job of creating passwords,
nor of remembering them, so I'm going to end up using the same shitty password
on every site I care about.

~~~
nilved
Well, whose fault is that? I can tell you how to do it right, but it sounds
like you're limiting yourself. If you prefer to do it wrong, feel free.

------
nstr10
+1 for security theater. If 1Pass app is compromised, you're compromised -
period. Even with app permissions, does it not still have file system access?
I don't see how this change would prevent it from accessing all your Dropbox
files anyway. Also, since Dropbox uses an exploit to gain permissions, I'd say
we're placing blame in entirely the wrong place here. On the other hand, the
1Pass folks in that thread are giving all the wrong reasons. "We won't do this
because it's hard," is very different from, "we won't do this because it
offers no benefit in any scenario." Users who are security conscious aren't
using Dropbox to sync their password vaults.

------
tyfon
I have been using KeePass for some years. It's open source and works on
basically every platforms there is.

What is the advantage of 1password compared to the rest of the lot? I keep
seeing the name in articles so it must be popular, but I associate it with
passwords stored in the cloud which sounds insane to me.

~~~
tomku
Your association isn't really accurate. 1Password's storage model is basically
the same as KeePass, your passwords are stored in encrypted blobs that are not
decryptable without your master password, which is never sent over the network
even if you use their completely optional cloud storage and web interface. If
you don't want to trust them with even your encrypted blobs, it also supports
sync via Dropbox or iCloud, or over wifi to your phone/tablet, or just to a
plain folder.

As far as advantages, I'd say that 1Password is a very slick and well-designed
password manager that focuses on covering a particular common case - someone
with a Mac, an iPhone/Android device and possibly a Windows PC who wants to
sync their passwords between those devices and fill passwords in their
browsers. It offers first-party supported browser extensions and handles
conflicting sync changes well, which were two major pain points for me when I
used KeePass.

If you're happy with KeePass, there's not really a compelling reason to
switch. If you fit their target audience and want something with better
sync/browser integration and/or a better Mac client, I think it's a compelling
alternative.

------
chuckgreenman
If One Password was compromised wouldn't an attacker have your DropBox
credentials anyway?

------
noja
Would 1Password on desktop work even with an App folder?

------
jbverschoor
Yay, keychain

------
chj
As a customer of 1Password, I will never move my password files into their
cloud.

~~~
atmosx
Encryption is meant to provide security in a hostile environment (the cloud in
this instance). So, as long as you're using proper encryption and long enough
pass phrases to make brute-forcing nearly impossible, storing info on the
cloud should be okay.

~~~
chj
Well, I prefer to store the password files on Dropbox because Dropbox guys are
unlikely to know how the files are encrypted. That actually makes brute-
forcing a little bit more difficult.

------
incunix
I've had this very same thought, really needs addressing. Not sure why this is
such a hard thing to achieve tbh

------
clishem
So happy I replaced 1Password with a 600 line shell script:
[https://www.passwordstore.org](https://www.passwordstore.org)

------
SarlCagan
[http://passwordlive.github.io/](http://passwordlive.github.io/)

~~~
rolfvandekrol
This is a deterministic password manager, which is not a very good idea.
[https://tonyarcieri.com/4-fatal-flaws-in-deterministic-
passw...](https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-
managers)

