Why does 1Password need to see all of Dropbox?

By using 1Password aren&#x27;t you already completely trusting the developers?<p>I mean, it&#x27;s a <i>proprietary</i> application that you use to store all your passwords and other sensitive data. I&#x27;m pretty sure having read&#x2F;write access to your dropbox folder is the least of your worries if the developers had malicious intentions.

Look at the 1Password database files. They appear to be JSON, with no integrity mechanism, with many unencrypted fields. I have to wonder if the clients handle this data safely, and why they choose to encrypt only certain fields. It doesn&#x27;t give me a lot of confidence.

Seems like they were granted multiple deadline extensions to address this:<p><a href="http://discussions.agilebits.com/discussion/comment/112937/#Comment_112937" rel="nofollow">http:&#x2F;&#x2F;discussions.agilebits.com&#x2F;discussion&#x2F;comment&#x2F;112937&#x2F;#...</a>

<i>It is impossible to explain why 1Password data on Dropbox can be in such odd locations without discussing history, but the short answer is that we originally allowed 1Password users to place their data anywhere they wished on Dropbox. In order to help 1Password actually find where that data is, we also had it write the location into a file at the root of the Dropbox folder, in a file called .ws.agile.1Password.settings.</i><p>If the file just contains a pointer to a subdirectory, why does it need to be stored on the user&#x27;s Dropbox account at all? Couldn&#x27;t they keep track of the preferred Dropbox folder themselves, on a per-user basis?

Why not just create a separate Dropbox account strictly for your 1password files? It&#x27;s free anyway, and then you don&#x27;t have to worry about then getting access to more information than they really need.

This, and the (at least practical) inability to read the source of 1PasswordAnywhere (which I often want to use from a machine in my house&#x2F;a friends house without 1password installed, etc) is why I made Mr. Password. It also uses Dropbox, but it uses the Datastore API (so it can only access it&#x27;s own data), and it&#x27;s open source.<p><a href="https://bitbucket.org/rfunduk/mrpassword" rel="nofollow">https:&#x2F;&#x2F;bitbucket.org&#x2F;rfunduk&#x2F;mrpassword</a>

I work for AgileBits. As the document you linked to explains, this is an accident of history that we would love to undo. It is hard to provide the user flexibility that people want in selecting their data location.<p>We don&#x27;t want to train people to ignore things like the Dropbox notification nor do we like violating the principle of least authority. But until we find a way out of this mess without seriously disrupting things for a very large number of users, we are stuck with it.<p>We don&#x27;t usually reveal company internal processes, but I am personally to blame for this situation. When we first started explicit Dropbox integration, we discussed whether we should force a specific Dropbox location for all 1Password data. We had a number of power users who had some unusual set-ups and wanted to organize their Dropbox data as they wished. I pushed for supporting those power users. In retrospect that was a bad idea, but this was before the days of any real Dropbox sandboxing.

BTW, what happened to Dropbox becoming an iCloud alternative?<p>I rarely use Dropbox to sync app data because it&#x27;s always fully visible in Dropbox and messes up my directory structure. (Although chflags hidden usually helps …)

We&#x27;ve had this same problem at Blogvio. Users asked us why we need access to their entire Dropbox. And indeed we didn&#x27;t need - but we didn&#x27;t know better either.<p>After a bit of research we found out we can have a specific folder set to Blogvio that would sync with the system. And that, combined with something like Zapier is a much better solution that we envisioned first. Learning by mistakes! :-)

I&#x27;m fairly certain this is something Dropbox is working on, full r-w access but only in the apps specific sandboxed folder.

The bigger issue (at least to me) is that Dropbox, and every other application granted Dropbox access, has access to your encrypted 1Password datafile. It&#x27;s why I don&#x27;t use cloud services to sync my 1Password file.

They address this in their security user guide - <a href="http://learn.agilebits.com/1Password4/Security/dropbox-permission-request.html" rel="nofollow">http:&#x2F;&#x2F;learn.agilebits.com&#x2F;1Password4&#x2F;Security&#x2F;dropbox-permi...</a>