Dropbox Urges Users To Change Old Passwords - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps // Project Management
News
8/29/2016
09:06 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Dropbox Urges Users To Change Old Passwords

Data from a 2012 breach has resurfaced, leading to fears that the information could be used to compromise accounts. IT managers using a new Dropbox feature don't need to worry, but they still have to guard against employees' bad password hygiene.

5 Traits Effective IT Leaders Need
5 Traits Effective IT Leaders Need
(Click image for larger view and slideshow.)

Among the half billion Dropbox users, those who have not changed their passwords since mid-2012 may wish to come up with another sequence of impossible-to-remember alphanumeric characters to authenticate themselves.

Dropbox on Thursday sent out a note advising those with passwords that have gone unchanged for at least four years to revitalize their secret sequences when next they sign in. "This is purely a preventative measure, and we're sorry for the inconvenience," the company said in its missive to customers.

IT managers using the Dropbox Business Admin Console won't be inconvenienced much at all. There's an option to reset everyone's password. But for those overseeing employees who use Dropbox on a personal basis, there's a chance that bad personal password hygiene could rub off on corporate data.

On its website, Dropbox explains that its security team became aware of "an old set of Dropbox user credentials (email addresses plus hashed and salted passwords)" that may have been obtained following a security incident reported in 2012. While the company's threat monitoring does not show any effort to exploit this data, Dropbox nonetheless is advising people to change their passwords out of an abundance of caution.

Changing passwords on a regular basis is sometimes advocated by security professionals, but not always. The Communications-Electronics Security Group (CESG), the UK government's information security arm of intelligence service GCHQ and its national technical authority for information assurance, recommends against forced password changes through password expiration.

(Image: HYWARDS/iStockphoto)

(Image: HYWARDS/iStockphoto)

But when there's a breach, it's necessary to pick new passwords. It's up to IT managers to ensure that the new passwords are sufficiently strong.

Nimrod Vax, cofounder and head of product at BigID, an enterprise data privacy startup, in a phone interview said password problems are unavoidable. "The problem of weak passwords and those password incidents are as old as IT," he said. "It's just human nature. Everyone knows what the problem is and how to solve it. It's like knowing you shouldn't drink and drive, but still people do it."

[See How To Make Passwords Obsolete.]

Vax acknowledges that it's hard to keep a different password for every service and device, and that changing those passwords makes remembering them even harder. IT managers, he said, can encourage people to reset their passwords, to use different passwords, and to use keyword phrases that can be remembered. "But if you have a large organization, you will have some people who just can't do it," he said.

The solutions are well known, said Vax: two-factor authentication and password management software. But IT managers have to deal with the reality of people using online services outside of enterprise oversight. Because people often use the same passwords both personally and professionally, "IT managers need to encourage the use of password solutions that span personal and enterprise space," he said.

In situations where employees resist using enterprise tools to handle personal passwords, managers should encourage the use of consumer-oriented password managers, said Vax.

"As an IT manager, you can't really separate the personal life of employees from their professional life," said Vax.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/29/2016 | 12:48:32 PM
Changed, not changed
High incidences of password reuse aren't just an IT statistic, the threat is real. I see password reuse all the time in my sector. The problem continues to be the need to set a password for virtually every service used. Sometimes, the hassle of resetting passwords is enough to deter folks from creating unique passwords for every system. 
Whoopty
0%
100%
Whoopty,
User Rank: Ninja
8/30/2016 | 7:25:55 AM
Re: Changed, not changed
It's pretty amazing that at this point in the internet's life that people still don't use decent password protections. It's the kind of thing they made fun of in '90s movies.

It's almost as if the ease of use with which modern computing allows, is making it all too simple. What would be the best way to encourage better password use among business users and the general public?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/30/2016 | 10:37:32 PM
Re: Changed, not changed
@Whoopty: It's just life, I guess.  It sounds crazy to us, but it's real, regular, everyday life.

True story: I got a picture from a loved one via text message yesterday -- a picture of a sticky note on their co-worker's monitor.

The sticky note said: "Username: [firsrt initial + last name]" followed by "Password: Password123."

Once one gets past the obvious head-shaking wonder of that, the greatest and most absurd part of that, to me, is that this person felt the need to write "Password:" before what their password was -- as if writing "Password123" by itself without any additional context might confuse them.
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/30/2016 | 11:40:06 PM
Re: Changed, not changed
I think many have tried and failed using multiple means. I don't know how to change attitudes toward password re-use. Password fatigue is probably a real thing that people deal with everyday, they feel undue burden to make unique passwords for every site/service.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/30/2016 | 10:40:38 PM
Re: Changed, not changed
@Michelle: The expert advice I've heard occasionally -- and I adopt myself -- is for companies to have in their employment agreements a passage that states that the password belongs to the company, and anyone who gets caught using a company password on another system will be fired immediately.

Realistically speaking, it's a practically unenforceable line item -- but it sure gets people thinking about things.
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/30/2016 | 11:43:48 PM
Re: Changed, not changed
@Joe that's an interesting strategy I haven't heard before. Associating scary termination language with password re-use seems like it could curb the practice (at least a little).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/30/2016 | 10:38:38 PM
Time
Four years is probably a pretty long time to go without changing your password.

Of course, at the opposite end off the spectrum are overly oppressive IT departments.  One woman I know used to just use whatever day of the week it was plus a number or something whenever IT would do its all-too-often rounds of "CHANGE YOUR PASSWORD NOW BECAUSE WE SAY SO."
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/30/2016 | 11:46:33 PM
Re: Time
4 years might be a long time, but I'm sure there are folks who signed up for the service and never used it. Those folks may be avid password re-users (sounds like an addiction). I recently changed a bunch of passwords and noticed I hadn't used some accounts for ----- years. 
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 3:37:11 AM
Re: Time
Good point Michelle when I first read the fours years part I was alarmed but I had forgotten about early adopters which I am not.
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 8:05:04 AM
Re: Time
I think I was one of those early adopters, Technorati. :) I just don't remember when was that I signed up for the account. That long it has been. -Susan
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 12:47:32 PM
Re: Time
Susan,  Well I hope you have changed your password....    : ) 
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 2:24:44 PM
Re: Time
Hehe, Technorati. :) Actually, not yet. I'll do it now before I forget again. -Susan
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 5:26:30 PM
Re: Time

Hehe Susan,   Way to go.   I am sure you are not alone.  I am sure I have a dormant account out there that I should be checking too.  : ) 

Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 8:02:32 AM
Re: Time
Password re-use is sometimes innevitable. If you have, say, tens of accounts it's really hard to always remember every single individual password. Bio-passwords should be more common. As for Dropbox, I signed up for an account years ago. I used it for a long time. Then I stopped. I remembered about it not long ago, I think thanks to an email Dropbox sent me. -Susan
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/31/2016 | 2:50:49 PM
Re: Time
This is why many security experts recommend writing passwords down now.  Not writing down "password1", of course, but having a much more random, much longer password with some real entropy in there, and writen the password down in a truly safe place (i.e., not in or on your desk or on your computer screen).

In this way, it's very easy to keep your passwords *at least* as safe as your wallet.
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 3:05:40 PM
Re: Time
You made me laugh with that, Joe. I wonder if someone ever had their passwords on their computer screen. A screensaver with all your passwords should look nice. :D -Susan
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 5:32:13 PM
Re: Time
@Susan   lol  That would be inventive and it might work.  The most obvious is sometimes the best means of hiding.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 5:30:35 PM
Re: Time

@Joe  Good point.   Though it is surprising to hear security experts recommend this now but I guess if you are really making unique passwords than you really do need to write them down.

 

I have used Password Vaults for this in connection with my work, but personally I have not used this type of service.  if it is free, I would use it but I don't need another bill if it comes down to it.

Michelle
50%
50%
Michelle,
User Rank: Ninja
8/31/2016 | 9:33:48 PM
Re: Time
@Susan it's unfortunate you remembered your long unused account after the message they sent. I'm sure there have been many others who had a similar experience.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/31/2016 | 2:47:59 PM
Re: Time
Long-dormant accounts can be an especial security problem indeed -- particularly where the user has forgotten that those acccounts existed to begin with, and ESPECIALLY where the user reuses and recycles passwords.
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/31/2016 | 9:38:01 PM
Re: Time
@Joe I'm waiting to read all the headlines for even more breaches resulting from reused information. I wonder how many folks are ignoring the warning message from Dropbox and continuing to reuse that password on other accounts. 
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 8:11:31 AM
Re: Time
I wonder if changing the password to whatever day it was plus a number worked for her. -Susan
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Slideshows
Flash Poll