- Security TWENTY
- Women in Security
Dropbox, four years on and we’re panicking again? asks Mike Gillespie.
You might be forgiven for thinking that online file sharing and storage provider, Dropbox had been hacked again. But no, what we are seeing in security and mainstream press is further revelations of the 2012 breach. Sixty-eight million emails and passwords were compromised. For quite some time, Dropbox did not realise that the salted and hashed passwords had been compromised and so this is why we are seeing the story being hoisted back up to headline status.
Let’s be clear, currently there are no indications that the attackers have thus far been able to crack the salted and hashed passwords (a form of encryption used to obscure the password for more secure storage), but it remains a fact they were taken and it is not a certainty by any means, that they won’t be cracked. However, Dropbox stated after the revelation the passwords were taken that people should change their passwords…so this advice came after the recent resurgence of interest and the news that passwords were compromised and not after the breach itself. So this goes part of the way to press feeding frenzy currently underway about Dropbox.
Standard advice after a breach should be to change passwords. Not only change passwords on that service but in all places that password may have been used. Identity thieves know that people use their passwords across platforms and services and will frequently try other services in the hope of getting a hit. So if you find you have been compromised in any way, the first thing you should do is change password and preferably to one that is discrete.
Dropbox is going to have to look to its credibility on this if it really waited four years to advise people to change passwords. If a system or network is compromised then the first thing to do is change passwords and this should be mandatory and enforced, to force people to do it for their own protection and that of their information. Its worth noting that 2011 saw the same company admit an embarrassing vulnerability; they published code that allowed anyone to sign-in to a Dropbox account without credentials. OK so I am not here to knock Dropbox, they have go a whole host of issues to correct but advising users to change passwords immediately seems quite basic. Issuing a statement that tells customers who have not changed their password since mid-2012 that they should consider changing their password now, seems not so much closing the barn door after the horse has bolted but after it has won the race and moved to better accommodation with more straw.
Part of the growing awareness we should all have as we expand and consolidate our digital lives, must be security hygiene and passwords is a major part of this hygiene. As businesses and individuals, the level of threat we are all facing from the cyberspace is unprecedented and the organisation, resources and tenacity of criminals, is unquestionable. Not having changed a password on an account in which you store things such as photos and documents is poor hygiene in anyone’s book. This doesn’t excuse the Dropbox security fumble but it is a warning to all of us that leaving it four years to change a potentially sensitive password is a really bad idea and we should have a method or plan for how we go about changing passwords.
As we are talking passwords, this gives us an opportunity to improve the quality too. CESG (the technical arm of GCHQ) advises that a good quality password can eliminate the need for too much password change. Whilst on one hand after what we have said that might seem counter-intuitive, in actual fact if you have a really solid password with no dictionary words included, but with symbols numbers and upper/lowercase, that you keep for longer period (barring any breaches) the chances are you are less likely to self-compromise by writing it down or storing it elsewhere in order to recall it if you are forced into changing it too frequently. So we need to think about that too, both at work and home.
Finally here are some of the worst passwords from a 2015 list from World Password Day. If yours is on here, you know what you need to do!