Dropbox Urges Users To Change Old Passwords - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps // Project Management
News
8/29/2016
09:06 AM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Dropbox Urges Users To Change Old Passwords

Data from a 2012 breach has resurfaced, leading to fears that the information could be used to compromise accounts. IT managers using a new Dropbox feature don't need to worry, but they still have to guard against employees' bad password hygiene.

5 Traits Effective IT Leaders Need
5 Traits Effective IT Leaders Need
(Click image for larger view and slideshow.)

Among the half billion Dropbox users, those who have not changed their passwords since mid-2012 may wish to come up with another sequence of impossible-to-remember alphanumeric characters to authenticate themselves.

Dropbox on Thursday sent out a note advising those with passwords that have gone unchanged for at least four years to revitalize their secret sequences when next they sign in. "This is purely a preventative measure, and we're sorry for the inconvenience," the company said in its missive to customers.

IT managers using the Dropbox Business Admin Console won't be inconvenienced much at all. There's an option to reset everyone's password. But for those overseeing employees who use Dropbox on a personal basis, there's a chance that bad personal password hygiene could rub off on corporate data.

On its website, Dropbox explains that its security team became aware of "an old set of Dropbox user credentials (email addresses plus hashed and salted passwords)" that may have been obtained following a security incident reported in 2012. While the company's threat monitoring does not show any effort to exploit this data, Dropbox nonetheless is advising people to change their passwords out of an abundance of caution.

Changing passwords on a regular basis is sometimes advocated by security professionals, but not always. The Communications-Electronics Security Group (CESG), the UK government's information security arm of intelligence service GCHQ and its national technical authority for information assurance, recommends against forced password changes through password expiration.

(Image: HYWARDS/iStockphoto)

(Image: HYWARDS/iStockphoto)

But when there's a breach, it's necessary to pick new passwords. It's up to IT managers to ensure that the new passwords are sufficiently strong.

Nimrod Vax, cofounder and head of product at BigID, an enterprise data privacy startup, in a phone interview said password problems are unavoidable. "The problem of weak passwords and those password incidents are as old as IT," he said. "It's just human nature. Everyone knows what the problem is and how to solve it. It's like knowing you shouldn't drink and drive, but still people do it."

[See How To Make Passwords Obsolete.]

Vax acknowledges that it's hard to keep a different password for every service and device, and that changing those passwords makes remembering them even harder. IT managers, he said, can encourage people to reset their passwords, to use different passwords, and to use keyword phrases that can be remembered. "But if you have a large organization, you will have some people who just can't do it," he said.

The solutions are well known, said Vax: two-factor authentication and password management software. But IT managers have to deal with the reality of people using online services outside of enterprise oversight. Because people often use the same passwords both personally and professionally, "IT managers need to encourage the use of password solutions that span personal and enterprise space," he said.

In situations where employees resist using enterprise tools to handle personal passwords, managers should encourage the use of consumer-oriented password managers, said Vax.

"As an IT manager, you can't really separate the personal life of employees from their professional life," said Vax.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 3   >   >>
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 8:11:31 AM
Re: Time
I wonder if changing the password to whatever day it was plus a number worked for her. -Susan
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 8:05:04 AM
Re: Time
I think I was one of those early adopters, Technorati. :) I just don't remember when was that I signed up for the account. That long it has been. -Susan
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 8:02:32 AM
Re: Time
Password re-use is sometimes innevitable. If you have, say, tens of accounts it's really hard to always remember every single individual password. Bio-passwords should be more common. As for Dropbox, I signed up for an account years ago. I used it for a long time. Then I stopped. I remembered about it not long ago, I think thanks to an email Dropbox sent me. -Susan
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 3:37:11 AM
Re: Time
Good point Michelle when I first read the fours years part I was alarmed but I had forgotten about early adopters which I am not.
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/30/2016 | 11:46:33 PM
Re: Time
4 years might be a long time, but I'm sure there are folks who signed up for the service and never used it. Those folks may be avid password re-users (sounds like an addiction). I recently changed a bunch of passwords and noticed I hadn't used some accounts for ----- years. 
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/30/2016 | 11:43:48 PM
Re: Changed, not changed
@Joe that's an interesting strategy I haven't heard before. Associating scary termination language with password re-use seems like it could curb the practice (at least a little).
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/30/2016 | 11:40:06 PM
Re: Changed, not changed
I think many have tried and failed using multiple means. I don't know how to change attitudes toward password re-use. Password fatigue is probably a real thing that people deal with everyday, they feel undue burden to make unique passwords for every site/service.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/30/2016 | 10:40:38 PM
Re: Changed, not changed
@Michelle: The expert advice I've heard occasionally -- and I adopt myself -- is for companies to have in their employment agreements a passage that states that the password belongs to the company, and anyone who gets caught using a company password on another system will be fired immediately.

Realistically speaking, it's a practically unenforceable line item -- but it sure gets people thinking about things.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/30/2016 | 10:38:38 PM
Time
Four years is probably a pretty long time to go without changing your password.

Of course, at the opposite end off the spectrum are overly oppressive IT departments.  One woman I know used to just use whatever day of the week it was plus a number or something whenever IT would do its all-too-often rounds of "CHANGE YOUR PASSWORD NOW BECAUSE WE SAY SO."
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
8/30/2016 | 10:37:32 PM
Re: Changed, not changed
@Whoopty: It's just life, I guess.  It sounds crazy to us, but it's real, regular, everyday life.

True story: I got a picture from a loved one via text message yesterday -- a picture of a sticky note on their co-worker's monitor.

The sticky note said: "Username: [firsrt initial + last name]" followed by "Password: Password123."

Once one gets past the obvious head-shaking wonder of that, the greatest and most absurd part of that, to me, is that this person felt the need to write "Password:" before what their password was -- as if writing "Password123" by itself without any additional context might confuse them.
<<   <   Page 2 / 3   >   >>
Slideshows
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Commentary
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Slideshows
Flash Poll