Dropbox is Working On Its Own Password Manager

AndroidPolice: Dropbox just unceremoniously dumped a brand new app on the Play Store with no fanfare or formal announcement. The new Dropbox Passwords app, according to its listing, is a password manager available exclusively in an invite-only private beta for some Dropbox customers. Based on screenshots and description, the app seems pretty barebones -- or "minimal," depending on your tastes. Dropbox seems to intentionally avoid calling it a "password manager," though its functionality otherwise appears about the same as other solutions. Like other password managers, Dropbox Password can generate passwords for new accounts as required and sync them remotely so you can access all your passwords on multiple devices. It also uses zero-knowledge encryption to store those passwords remotely.

What I really want to know

[TuballoyThunder]

Is when will they add an email client (http://catb.org/jargon/html/Z/Zawinskis-Law.html).

Since this is a security-focused application,

[Arthur, KBE]

It would be good form if the submitter linked to the application's source code.

Not Zero Knowledge

[Adrian Harvey]

It can’t be a Zero Knowledge encryption system to store the password. The entire point of a Zero Knowledge system is that the password is not stored or transmitted, nor is it recoverable at the remote end.

Most Zero Knowledge protocols that I know of are time-bound as well so you can’t just generate the token for a given use and dispose of the password. Besides, it’s a password manager, people will want the passwords back!

Re:

[Anubis IV]

The entire point of a Zero Knowledge system is that the password is not stored or transmitted, nor is it recoverable at the remote end.

I think you confused yourself with your use of "password" instead of "key" in the quote I pulled. In zero knowledge encryption, the key is neither transmitted to nor recoverable by the party receiving the encrypted data, that is, you generate and use a key that never leaves your device, thus ensuring that while they may hold your data, they lack the knowledge necessary to decrypt it. Passwords have nothing to do with it, other than that in this case the data being encrypted happens to be a set of passwords

To get your hooked

[Frank Burly]

They will store five passwords for free. To get 50, it's $2/mo. More than that, and you'll need an enterprise account.

Re:

[rho]

If you use the same password for another site it counts against your total number of passwords.

Dropbox probably has a patent on double-dipping.

Re:

[fph il quozientatore]

Of course; it is for your safety: doing the opposite would encourage password reuse!

Re:

[EvilStein]

That sounds like it's instantly more expensive than.. well, pretty much everything. I'm surprised they went with such a low limit.

Re:

[DarkVader]

And this is why sarcasm doesn't work on the internet.

Re:

[hvidstue]

woooosh! :D

Argh.

[DarkVader]

That'll be fun when they do this again... https://www.wired.com/2016/08/... [wired.com]

Re:

[93 Escort Wagon]

Yup - it's possible there is one word I think of when I think of Dropbox, but that word certainly ain't security.

Even setting that breach aside... this is the company that demanded full unfettered control of all aspects of OS X / macOS just to operate, up through 10.13 High Sierra - despite their application working just fine without having it. AND if the user didn't willingly give that level of access to them, they would use various underhanded means (such as faking system dialog boxes) to try and get it.

I

Re:

[Richard_at_work]

The "faking system dialog boxes" is a mistaken report that simply won't go away - MacOSX itself is the issue here, as it does not have one single coherent privilege escalation dialog box and can display differently depending on the type and version of the framework the app is using. Dropbox was simply using an older framework at the time, and got a different dialog from the ones people were sort of used to from apps using more modern frameworks.

But, the story that Dropbox faked the dialogs simply will not

Re:

[phayes]

That doesn’t change dropbox’s retroactive restriction to the number of allowed clients on the “free” tier from unlimited to three that caused many of us to abandon them. When reinstalling the OS on a machine meant that I lost the ability to sync 1Password to it or now had to pay a fee every month, Dropbox got replaced, removed and added to my blacklist.

Re:

[Richard_at_work]

Theres a lot wrong with Dropbox, and I can help you make a list if you like - I was on the other side of most of this as a Dropbox forum superuser up until 2017, so I know all the past horrors. I dont use Dropbox now.

Bitwarden

[CoreDreamStudios]

Why not use Birwarden? It's free for the most part and there's no password limits, AND it supports 2FA and Yubikey's.

Re:

[Anubis IV]

Work had us recently switch to using Bitwarden for anything work related. Coming from 1Password for personal and work use prior to that point, Bitwarden is painful to use. The app feels like it’s everything that’s wrong with sloppy UX design. One of these days I need to make a list of everything inferior about Bitwarden, because I honestly think that our chief IT guy doesn’t realize just how much better password managers can be than it.

pointless

[bloodhawk]

Just what we need, yet another password manager. Seriously there are more than enough good open source AND commercial offerings out there that this just seems pointless.

Re:

[bloodhawk]

what a stupid fucking analogy, no wonder you posted as an AC.

Anyone

[hcs_$reboot]

So, people are still using Dropbox!

With their security incident record ...

[hvidstue]

... I wouldn't trust them with anything >.