Jump to content

Change Your Dropbox Password


R. Mansfield

Recommended Posts

According to multiple reports being posted on the Internet tonight, there may have been a massive security breach with Dropbox resulting in anywhere from hundreds of passwords that have already been publicly exposed to the threat of millions to come.

 

Since many Accordance users use Dropbox for syncing between the desktop and mobile versions, I would strongly urge changing your password immediately. And if you use the same password in Dropbox that you use elsewhere, change the password for those other services as well.

 

For more information:

http://thenextweb.com/apps/2014/10/14/dropbox-passwords-leak-online-alleged-hack/

 

http://gizmodo.com/change-your-password-hackers-are-leaking-dropbox-user-1645981610

 

http://arstechnica.com/security/2014/10/7-million-dropbox-usernamepassword-pairs-apparently-leaked/

  • Like 1
Link to comment
Share on other sites

This is also a good time to suggest using 2-factor authentication, which means that Dropbox will send a number code to your phone when you try to log in. This would prevent someone from logging into your account even if they stole your password unless they also managed to steal your phone. If you keep anything particularly sensitive in your dropbox account, you should enable this.

  • Like 2
Link to comment
Share on other sites

Thanks, Rick. Changed my password, and went ahead and enabled the two-step authentication. Thanks, Jonathan.

Link to comment
Share on other sites

The official word from Dropbox is that they were not hacked. See http://techcrunch.com/2014/10/14/dropbox-pastebin/

 

However, this revelation came on the heels of Dropbox losing a number of people's data yesterday, so they are in heavy defensive mode regardless.

 

And since it's good to change passwords regularly anyway, it seems to me that changing passwords even if there's been rumor of a hack is a good idea.

Link to comment
Share on other sites

If you use the same email address & password on other web sites (accordance, amazon, etc), suggest change those as well.

Hackers are getting smarter.

Cheers.

Link to comment
Share on other sites

I recommend the use of 1Password or some other such password management utility.

Link to comment
Share on other sites

If 1Password ever gets hacked that will not be a pretty day.

 

Thx

D

Link to comment
Share on other sites

1Password is not a central system like Google or iCloud. It's a local program, every user would have a different password, and you handle any syncing (wifi, iCloud, dropbox, etc) so the software company doesn't store the data. I suppose no security system is absolutely immune to hacking, but 1Password encryption is pretty good and it's not an easy target since each user's file would have to be broken into individually.

  • Like 1
Link to comment
Share on other sites

AES256 keys are not uncrackable and the fact that these things get synced to all devices indicates that they go through some sort of sync thingie. There was a bunch of noise a few weeks back about a hack of DropBox. DB said it wasn't them it was some other company. My guess is that the fact that DB credentials are handed out to apps for sync support lead to vulnerability of the credentials in a less secure environment. And if there is a cloud service that ends up with a bunch of these in concentration they will be a target.

 

It's getting so pen and paper looks more secure.

 

The safest way to sync devices is off the web. I wonder how many people do it that way.


That's not to say its all bad. The autogeneration of sophisticated passwords is a good thing and may save you when one of the sites for which you use such a password is hacked.

 

Thx

D

Edited by Daniel Semler
Link to comment
Share on other sites

AES256 keys are not uncrackable and the fact that these things get synced to all devices indicates that they go through some sort of sync thingie. There was a bunch of noise a few weeks back about a hack of DropBox. DB said it wasn't them it was some other company. My guess is that the fact that DB credentials are handed out to apps for sync support lead to vulnerability of the credentials in a less secure environment. And if there is a cloud service that ends up with a bunch of these in concentration they will be a target.

 

The official word from Dropbox is that the compromised accounts were affected because the users re-used a password from another site. That password was stolen and simply used to log into dropbox just like the user would have. It is probably true that a lot of people use dropbox for syncing their 1password file, but that file is itself encrypted. Even if you acquired multiple 1password files, you'd still have to crack each one individually. I'm not saying it can't be done. It's just a more tedious process than hacking into a central system like Google or iCloud. The Dropbox situation itself serves to illustrate the problem of password re-use, one of the key issues that 1Password addresses.

Link to comment
Share on other sites

Ah ok I'm behind on the DB issue - and yes the reuse issue is a bad one so it certainly helps there.

 

I still remain leery of all eggs in one basket solutions but they have their benefits also. Perhaps one day I'll stop worrying and learn to love the cloud :)

Link to comment
Share on other sites

I've been using the password generator that was built into Apple's Keychain since it was released with Mavericks a year or so ago. It's kind of a poor man's 1Password from what I understand. It's worked well for me except for two areas:

 

1. It only works on Apple's devices. That covers me most of the time, but I do use a Windows laptop for part of my work, and I occasionally try out other devices (such as using a Windows Phone this past summer). In those cases, I have to have an Apple device handy to look up passwords if I don't want to reset them.

 

2. Dedicated apps do not seem to work with password managers--unless I'm missing something. For instance, Apple's Keychain will store my American Express password and fill it in if I go directly to the Amex website. However, if I use the American Express iOS app, I have to be able to enter the password myself. It's a shame that there's not some way to make Keychain (or any of the other password managers) work with the dedicated apps--again, unless they do, and I've missed that feature.

Link to comment
Share on other sites

For those old enough to remember, the definition of a password is the sticky note attached to the top of your computer.

Definitely love 1P

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...