Dropbox Urges Users To Change Old Passwords - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

DevOps // Project Management
09:06 AM
Connect Directly

Dropbox Urges Users To Change Old Passwords

Data from a 2012 breach has resurfaced, leading to fears that the information could be used to compromise accounts. IT managers using a new Dropbox feature don't need to worry, but they still have to guard against employees' bad password hygiene.

5 Traits Effective IT Leaders Need
5 Traits Effective IT Leaders Need
(Click image for larger view and slideshow.)

Among the half billion Dropbox users, those who have not changed their passwords since mid-2012 may wish to come up with another sequence of impossible-to-remember alphanumeric characters to authenticate themselves.

Dropbox on Thursday sent out a note advising those with passwords that have gone unchanged for at least four years to revitalize their secret sequences when next they sign in. "This is purely a preventative measure, and we're sorry for the inconvenience," the company said in its missive to customers.

IT managers using the Dropbox Business Admin Console won't be inconvenienced much at all. There's an option to reset everyone's password. But for those overseeing employees who use Dropbox on a personal basis, there's a chance that bad personal password hygiene could rub off on corporate data.

On its website, Dropbox explains that its security team became aware of "an old set of Dropbox user credentials (email addresses plus hashed and salted passwords)" that may have been obtained following a security incident reported in 2012. While the company's threat monitoring does not show any effort to exploit this data, Dropbox nonetheless is advising people to change their passwords out of an abundance of caution.

Changing passwords on a regular basis is sometimes advocated by security professionals, but not always. The Communications-Electronics Security Group (CESG), the UK government's information security arm of intelligence service GCHQ and its national technical authority for information assurance, recommends against forced password changes through password expiration.

(Image: HYWARDS/iStockphoto)

(Image: HYWARDS/iStockphoto)

But when there's a breach, it's necessary to pick new passwords. It's up to IT managers to ensure that the new passwords are sufficiently strong.

Nimrod Vax, cofounder and head of product at BigID, an enterprise data privacy startup, in a phone interview said password problems are unavoidable. "The problem of weak passwords and those password incidents are as old as IT," he said. "It's just human nature. Everyone knows what the problem is and how to solve it. It's like knowing you shouldn't drink and drive, but still people do it."

[See How To Make Passwords Obsolete.]

Vax acknowledges that it's hard to keep a different password for every service and device, and that changing those passwords makes remembering them even harder. IT managers, he said, can encourage people to reset their passwords, to use different passwords, and to use keyword phrases that can be remembered. "But if you have a large organization, you will have some people who just can't do it," he said.

The solutions are well known, said Vax: two-factor authentication and password management software. But IT managers have to deal with the reality of people using online services outside of enterprise oversight. Because people often use the same passwords both personally and professionally, "IT managers need to encourage the use of password solutions that span personal and enterprise space," he said.

In situations where employees resist using enterprise tools to handle personal passwords, managers should encourage the use of consumer-oriented password managers, said Vax.

"As an IT manager, you can't really separate the personal life of employees from their professional life," said Vax.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 3 / 3
User Rank: Ninja
8/30/2016 | 7:25:55 AM
Re: Changed, not changed
It's pretty amazing that at this point in the internet's life that people still don't use decent password protections. It's the kind of thing they made fun of in '90s movies.

It's almost as if the ease of use with which modern computing allows, is making it all too simple. What would be the best way to encourage better password use among business users and the general public?
User Rank: Ninja
8/29/2016 | 12:48:32 PM
Changed, not changed
High incidences of password reuse aren't just an IT statistic, the threat is real. I see password reuse all the time in my sector. The problem continues to be the need to set a password for virtually every service used. Sometimes, the hassle of resetting passwords is enough to deter folks from creating unique passwords for every system. 
<<   <   Page 3 / 3
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Flash Poll