Dropbox Passwords: a password manager from a company that holds your file keys
June 2020
Dropbox launched a zero-knowledge password manager in 2020, but reviewers and privacy advocates questioned trusting a vault to a company that — for its core product — holds the encryption keys and has a documented history of breaches.
What happened
In June 2020 Dropbox introduced Dropbox Passwords, built on technology from its acquisition of Valt, and marketed it as using zero-knowledge encryption: the master password is used to derive a key stored only on the user's device, so Dropbox says it cannot read stored credentials. Passwords are protected with 256-bit AES, and the server verifies the user without learning the master password.
The scrutiny is one of trust and track record rather than a specific flaw. Reviewers noted the tension that the same company asking users to entrust their entire password vault is the one that, for standard Dropbox storage, holds the keys and decrypts files server-side — and that has suffered the 2012 credential theft (~68 million accounts) and the 2024 Dropbox Sign breach. Analysts also flagged that, as a U.S. provider subject to laws like the CLOUD Act, Dropbox is a less obvious home for highly sensitive secrets than dedicated, independently audited password managers, and questioned the depth of public security auditing of the Passwords product.
Impact
The launch extended Dropbox's reach into a category — secrets management — where trust assumptions are unusually high, and invited the question of whether a company that cannot zero-knowledge-encrypt its main product, and that has been breached, is the right custodian for a password vault. For privacy-conscious users it sharpened the divide between Dropbox's marketing of zero-knowledge for Passwords and its server-side-key model everywhere else.