Update Dropbox Password manager - zero-knowledge encryption


Level 32
Nov 10, 2017
App Store: ‎Dropbox Passwords - By Invite

A Dropbox password manager has been quietly added to the App Store, but it is currently listed as ‘by invite.’ This means that you can download it, but can’t yet activate it. An Android version is also available on the Play store, subject to the same restriction …
Dropbox Passwords provides password security by storing all your passwords in one secure place, then fills in usernames and passwords so you can instantly sign in to websites and apps. You can easily create and store unique, secure passwords as you sign up for new accounts.

  • Sign in to apps and websites with one click
  • Store passwords as you sign in to sites and apps
  • Access your passwords from anywhere with automatic syncing to all your devices
Never get locked out of your accounts again. Using this new password keeper from Dropbox, you can sign in to your favorite banking, streaming, and e-commerce sites and apps—you can even shop and checkout securely.
Password managers always use end-to-end encryption to ensure that the cloud service has no access to your passwords, but Dropbox goes one step further, by using zero-knowledge encryption.

This means that you can login to Dropbox without the server knowing your login password.

You don’t use your actual password to login; instead, the server asks the app to perform a series of mathematical calculations which use your password as one of the elements, and then provide the answers to the server. The server is able to verify that the results are correct without actually knowing your password. If someone hacked the Dropbox server, they would not get your password and would be unable to login as you.

Enabling the server to verify a correct result without knowing your password involves a complex process developed by MIT researchers back in the 1980s, but Wikipedia has some useful analogies to make sense of the basic idea. One of these involves two differently-colored balls and a color-blind friend.
Imagine your friend is red-green colour-blind (while you are not) and you have two balls: one red and one green, but otherwise identical. To your friend they seem completely identical and he is skeptical that they are actually distinguishable. You want to prove to him they are in fact differently-coloured, but nothing else; in particular, you do not want to reveal which one is the red and which is the green ball.

Here is the proof system. You give the two balls to your friend and he puts them behind his back. Next, he takes one of the balls and brings it out from behind his back and displays it.

He then places it behind his back again and then chooses to reveal just one of the two balls, picking one of the two at random with equal probability. He will ask you, “Did I switch the ball?” This whole procedure is then repeated as often as necessary.

By looking at their colours, you can, of course, say with certainty whether or not he switched them. On the other hand, if they were the same colour and hence indistinguishable, there is no way you could guess correctly with probability higher than 50%.

Since the probability that you would have randomly succeeded at identifying each switch/non-switch is 50%, the probability of having randomly succeeded at all switch/non-switches approaches zero (“soundness”). If you and your friend repeat this “proof” multiple times (e.g. 100 times), your friend should become convinced (“completeness”) that the balls are indeed differently coloured.

The above proof is zero-knowledge because your friend never learns which ball is green and which is red; indeed, he gains no knowledge about how to distinguish the balls

Last edited by a moderator: