undefined | Better HN

0 pointsjasonmp8510y ago0 comments

I don't understand this article at all. My wife and I sync 1Password credentials using an agilekeychain within a shared (between us only) file in our Dropboxes (so we can still have distinct Dropbox logins.

This works amazingly, and it's the only way I know how to have distinct individual logins and share common passwords (most other solutions would require we use the same iCloud login, etc.)

The agilekeychain is in a folder that only our Dropbox users have access to. Where, again, is the part where the whole internet can see it and Google can index it?

If you have your sync set up to be generally visible on the entire web, aren't the passwords (encrypted) also there? I operate under the assumption that my keychain itself hasn't been compromised and if it has I've got a ticking timer to reset important passwords. If it were on the internet, I'd better be spending time every month rotating passwords since I would have to assume attackers were always at it.

So what's up with this "visible in a browser" thing, and why would anyone use it in the first place?!?

0 comments

1 comments · 1 top-level

coldtea10y ago

>The agilekeychain is in a folder that only our Dropbox users have access to. Where, again, is the part where the whole internet can see it and Google can index it?

That happens to people who self-host the file. That aside, Dropbox (the company -- or any other person that has access to your agilekeychain, for that matter), having access to metadata about your encrypted passwords is already bad. They shouldn't be able to see anything -- not just your passwords, but also the sites they're for (sexwithanimals.com, hilterappreciationsociety.org etc.).

>If you have your sync set up to be generally visible on the entire web, aren't the passwords (encrypted) also there?

Your passwords yes. Their metadata (such as that they're for sexwithanimals.com and hilterappreciationsociety.org etc) not.

j / k navigate · click thread line to collapse