back to article If you haven't changed your Dropbox password for 4 years, do so now

Dropbox is forcing users to reset passwords that haven’t been changed since mid-2012, when LinkedIn suffered a mega-breach. An email sent to Dropbox users this morning informed them that the reset was solely a preventative measure, and not as a result of any new breach. Dropbox said that no accounts have been breached and the …

Spotify resets too

So is spotify, email this morning.

0
0

Re: Spotify resets too

And Opera Sync too (email this morning).

0
0

Re: Spotify resets too

... and 123-Reg. Two e-mails: the first saying they were going to force a password update by the 1st August, the second correcting this to the 1st September. After this deadline, passwords that haven't been updated and those that are insecure won't work any more.

0
0
Silver badge
Alert

Sounds fishy to me

Nothing to see, move along.

I'm all for strong passwords, although in my experience forcing users to change passwords on a (short) regular basis is a two edged sword, in that too often, and they start putting passwords on post-it notes.

4
0
Silver badge

Re: Sounds fishy to me

I think this is more for that significant chunk of the population who re-use passwords across multiple services.

2
0
Silver badge

Re: Sounds fishy to me

The current advice from various agencies (and there have been articles about it on here just lately) is:

a) Pick a long password. Complexity is not on the same order of magnitude as length.

(e.g. an 8-letter, lower-ASCII set password gives 128^8 possibilities. A ten-letter, alphabet only password give 52^10 possibilities.

128^8 = 72057594037927936

52^10 = 144555105949057024

An 8-character, all-symbol password takes half the time to guess than a 10-character, only alphabetical letters password.)

b) Don't force your users to change it too often. In fact, some places recommend NO forced changes unless you have reason to suspect the account is compromised.

And if you have any sense:

c) Pick several good passwords and use them according to purpose. Rather than an individual password per site, that you would need to write down or store in some software somewhere, choose levels of passwords:

- Critical, secure, ultra-sensitive

- Financial

- Secret

- Junk

I use the above system, so my Register password is my "junk" password that will only let you into other "Junk" level accounts that I have, even if you tried. My services that I care about have another entirely different password. My services that could cost money (credit cards, bank accounts, etc.) have another entirely different level of password. And anything more important has yet another level of password.

This way you have a handful of memorable passwords that never need to be written down, you know what password a service should be using based on what it does or stores for you ("I forgot my banking password, but it should be my 'finance' level one"), compromise of some lowly forum doesn't lead to compromise of your bank accounts, and if someone gets into your PayPal, they pretty much have access to your credit card etc. anyway so you want to go and change them all (obviously) but they won't "elevate" their access beyond the account that's compromised.

8
0
Silver badge
FAIL

Re: Sounds fishy to me

I worked for a company that issued all passwords as 20 random characters. Users couldn't change. No normal person could remember them, so passwords were just copied from the original email.

Marginally better than post-it, but only just...

0
0

Re: Sounds fishy to me

But, cumulatively, my banks require me to have:

telephone password

Internet password

Internet userid

father's middle name

favourite subject at school

favourite holiday destination

secure key password

memorable address

memorable date

street grew up on

sports personality

favourite actor

Verified by Visa password

personal greeting

memorable word

memorable information

online PIN

mother's birthday

city born in

first boss's first name

passphrase

first pet

spouse born

make of first car

memorable place

memorable date

memorable name

telephone banking passnumber

Internet banking passnumber

rewards password

mobile app passcode

memorable singer

secret question

starting salary

memorable image

place of birth

first school

secondary school

security number

most memorable teacher

first car

Some of these could be subject to your rules, but in practice the only way to deal with them is unique answers, fictitious where appropriate, stored securely (preferably offline).

1
0
Silver badge

"passwords ... copied from the original email. Marginally better than post-it, but only just..."

A password stored in an email residing in your inbox is potentially accessible to the whole internet, whereas a password on a post-it is accessible only to people who come into your office.

7
0
Silver badge

Re: "passwords ... copied from the original email. Marginally better than post-it, but only just..."

Exactly. Post-its are bad physical security but, unlike password lockers, cannot be hacked remotely.

Though I suppose you could put your password locker on a separate, air-gapped system.

1
0

Re: Sounds fishy to me

That is an awful lot of passwords, but don't worry. You'll only need to know one of them to convince someone at the call centre that you should have access to all of your accounts.

Security is job one.

7
0
Silver badge

Re: Sounds fishy to me

@Lee D - All my passwords are stored in the encrypted database of my password manager. I only remember one password - to the password manager. All my site credentials will have a different password for each site so if some gets my El Reg credentials they only have one site they log into.

0
0
Silver badge

Re: Sounds fishy to me

I'm also a fan of Lee D's system - 99 times in a 100 I know the likely password from memory. Or the previous password for a security level, missed when I last did a global "change all passwords," sweep, a semi-annual practice.

Barring that, I'm a heavy user of "Reset password" and will sometimes abandon a site if that's too cumbersome.

For some reason user forums are a specific problem, which leads to multiple accounts of the Barry, Barry1, Barry2 variety.

0
0

Re: Sounds fishy to me

Pick a reasonably long eBook and keep it on your phone. Pick a random line number, e.g. line 7 of every page. Every time you need a password pick a random page of the book and use line 7. Then instead of remembering a very long password just remember the page number.

It's not a secure enough method for government work or anything like that but it'll do for most people's private email, forum accounts, etc.

0
0

done

it asked me a few minutes after logging in, which was amusing. It reckoned I had not changed it since 2012, which is a bit rum because I only signed up this February....

3
0
Bronze badge

I believe this https://xkcd.com/936/

so all my passwords are "correct horse battery staple"

2
0
Anonymous Coward

And its taken 4 years

For them to decide they should remind users about this? Checking on inactive and spoofed accounts more like

0
0
Silver badge

Dropbox is mostly irrelevant.

I signed up when Ubuntuone was cancelled, in the process of evaluating better services, currently trying out Mega (really nice webpage, well laid out and helpful). Only really use Cloud for non-critical file storage and device transfer.

1
2

Sneaky Password Concealment

I have a parent who was always forgetting passwords and pin numbers... and wanted to write them down... So I suggest that if she needed to write down a password/pin, conceal it in some way.

So for a long time her pin number was written down as part of a phone number in amongst other phone numbers and simple passwords were written down as part of a sentence.

As for writing down passwords at home, I see no problem with that if you live in a trusting environment. My late aunt used to keep all hers written down in a little book in her desk drawer along with walk throughs/guides to do things that I'd taught her on her computer... as an 80yr old who'd suffered a couple of strokes and had memory issues it allowed her to do many things still as her tech support (me) was 250 miles away and unable to remote in due to her being in the countryside on a barely 1Mb connection.

1
0
Anonymous Coward

Re: Sneaky Password Concealment

A friend of mine has mental problems. She knows passwords need to be non-obvious and secure, but normally forgets her password a few days after creating it, so she writes them down on pieces of paper which she loses wihtin a couple of weeks.

The password reset mechanism usually depends on having the email address you had when you created the account - but since she loses passwords often, this includes email passwords. Recovering an email account requires you to have the phone you had when you created the account - but she looses phones frequently too. So she creates a new accounts frequently.

Why do none of these dingbats have a way to contact them to retrieve the accounts?

I suspect she, and others like her, account for 75% of all gmail and FB users, and they want to claim high user numbers.

0
0
Happy

Feeling smug

I recently decided to change ISPs, and since I would be losing my old email address (Long since forwarded to gmail.) I decided to go through all the online services that I regularly use, update the email address, and while I was at it change all the passwords. Making them unique, and difficult to break/bruteforce.

I also started using KeePass to keep them all sorted.

0
0

Had the email from Dropbox this morning... But I normally change my password everytime I get a new phone... Because I only use dropbox for uploading pictures taken on my phones to it (along with drive) to view on my PC... and only change my phone every 3yrs... I can never remember my password after that long and have to reset it anyway.

So since 2012 I'm on my 3rd phone and would have changed it at least twice since then.

0
0
Bronze badge

Hopeful.

I have three very secure passwords.

The rest, I couldn't care less about.

They're all the same.

I keep living in hope that someone will hack into them & lock me out.

Incentive to actually get a life rather than delude myself my opinion on forums means jack shit.

Alas, as much to your chagrin as it is to mine.

It has yet to pass.

0
0
Silver badge

I've forgotten it and its staying forgotten.

Experimenting with a Nextcloud, pizero and a hardrive round at a friends. Seems to work so far.

Need to see if I can get two people cohosting with me (and me for them) and thats all sorted.

0
0

Nobody tells people how to manage passwords

Lots of stupid advice about adding %X99 to them to make them hard to remember. But never the basic thing.

Use (a few) strong passwords on sites you care about.

Use a weak password everywhere else.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018