If you signed up for the file sharing service Dropbox prior to mid-2012 and haven’t changed your password since, you’ll be prompted to update it the next time you sign in. Dropbox say that they’re doing this purely as a preventive measure, and there is no indication that your account has been improperly accessed.
This was described as a really positive move to come from a vendor as large as Dropbox.
Charles Read, Regional Director – UK, Ireland and Benelux at the cloud-based access company OneLogin, said: “For consumers, it’s very common to see the same password being used for multiple services, despite contrary advice from multiple vendors. As such, the compromised LinkedIn credentials from 2012 could well be the same credentials that users still have for their Dropbox account, putting both themselves and DropBox at risk.
“In the corporate world, utilising a password as the only form of authentication for multiple accounts is already considered as weak security, however we are yet to see consumers apply this approach to the protection of their personal credentials. By adopting two factor authentication on top of regular passwords it’s possible to significantly reduce the risk coming from compromised credentials. However, for a truly secure environment I would always advocate the implementation of a single sign on platform with SAML based authentication services, something that Dropbox has supported in its product for many years. Two factor authentication can then be layered on top of this technology to entirely eliminate the risk associated with stolen credentials.”
What Schneier says
The IT security writer Bruce Schneier agrees that if a site offers two-factor authentication, seriously consider using it. It’s almost certainly a security improvement. He’s blogged: “As insecure as passwords generally are, they’re not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy.”
The best way to explain how to choose a good password is to explain how they’re broken, he adds. For the advice in full visit https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html.
