back to article If you haven't changed your Dropbox password for 4 years, do so now

Dropbox is forcing users to reset passwords that haven’t been changed since mid-2012, when LinkedIn suffered a mega-breach. An email sent to Dropbox users this morning informed them that the reset was solely a preventative measure, and not as a result of any new breach. Dropbox said that no accounts have been breached and the …

  1. Quentin North

    Spotify resets too

    So is spotify, email this morning.

  2. mdava

    Re: Spotify resets too

    And Opera Sync too (email this morning).

  3. David Pollard

    Re: Spotify resets too

    ... and 123-Reg. Two e-mails: the first saying they were going to force a password update by the 1st August, the second correcting this to the 1st September. After this deadline, passwords that haven't been updated and those that are insecure won't work any more.

  4. The Man Who Fell To Earth Silver badge
    Alert

    Sounds fishy to me

    Nothing to see, move along.

    I'm all for strong passwords, although in my experience forcing users to change passwords on a (short) regular basis is a two edged sword, in that too often, and they start putting passwords on post-it notes.

  5. moiety

    Re: Sounds fishy to me

    I think this is more for that significant chunk of the population who re-use passwords across multiple services.

  6. Lee D Silver badge

    Re: Sounds fishy to me

    The current advice from various agencies (and there have been articles about it on here just lately) is:

    a) Pick a long password. Complexity is not on the same order of magnitude as length.

    (e.g. an 8-letter, lower-ASCII set password gives 128^8 possibilities. A ten-letter, alphabet only password give 52^10 possibilities.

    128^8 = 72057594037927936

    52^10 = 144555105949057024

    An 8-character, all-symbol password takes half the time to guess than a 10-character, only alphabetical letters password.)

    b) Don't force your users to change it too often. In fact, some places recommend NO forced changes unless you have reason to suspect the account is compromised.

    And if you have any sense:

    c) Pick several good passwords and use them according to purpose. Rather than an individual password per site, that you would need to write down or store in some software somewhere, choose levels of passwords:

    - Critical, secure, ultra-sensitive

    - Financial

    - Secret

    - Junk

    I use the above system, so my Register password is my "junk" password that will only let you into other "Junk" level accounts that I have, even if you tried. My services that I care about have another entirely different password. My services that could cost money (credit cards, bank accounts, etc.) have another entirely different level of password. And anything more important has yet another level of password.

    This way you have a handful of memorable passwords that never need to be written down, you know what password a service should be using based on what it does or stores for you ("I forgot my banking password, but it should be my 'finance' level one"), compromise of some lowly forum doesn't lead to compromise of your bank accounts, and if someone gets into your PayPal, they pretty much have access to your credit card etc. anyway so you want to go and change them all (obviously) but they won't "elevate" their access beyond the account that's compromised.

  7. AMBxx Silver badge
    FAIL

    Re: Sounds fishy to me

    I worked for a company that issued all passwords as 20 random characters. Users couldn't change. No normal person could remember them, so passwords were just copied from the original email.

    Marginally better than post-it, but only just...

  8. StephenD

    Re: Sounds fishy to me

    But, cumulatively, my banks require me to have:

    telephone password

    Internet password

    Internet userid

    father's middle name

    favourite subject at school

    favourite holiday destination

    secure key password

    memorable address

    memorable date

    street grew up on

    sports personality

    favourite actor

    Verified by Visa password

    personal greeting

    memorable word

    memorable information

    online PIN

    mother's birthday

    city born in

    first boss's first name

    passphrase

    first pet

    spouse born

    make of first car

    memorable place

    memorable date

    memorable name

    telephone banking passnumber

    Internet banking passnumber

    rewards password

    mobile app passcode

    memorable singer

    secret question

    starting salary

    memorable image

    place of birth

    first school

    secondary school

    security number

    most memorable teacher

    first car

    Some of these could be subject to your rules, but in practice the only way to deal with them is unique answers, fictitious where appropriate, stored securely (preferably offline).

  9. CAPS LOCK

    "passwords ... copied from the original email. Marginally better than post-it, but only just..."

    A password stored in an email residing in your inbox is potentially accessible to the whole internet, whereas a password on a post-it is accessible only to people who come into your office.

  10. Jeffrey Nonken Silver badge

    Re: "passwords ... copied from the original email. Marginally better than post-it, but only just..."

    Exactly. Post-its are bad physical security but, unlike password lockers, cannot be hacked remotely.

    Though I suppose you could put your password locker on a separate, air-gapped system.

  11. Midnight

    Re: Sounds fishy to me

    That is an awful lot of passwords, but don't worry. You'll only need to know one of them to convince someone at the call centre that you should have access to all of your accounts.

    Security is job one.

  12. a_yank_lurker Silver badge

    Re: Sounds fishy to me

    @Lee D - All my passwords are stored in the encrypted database of my password manager. I only remember one password - to the password manager. All my site credentials will have a different password for each site so if some gets my El Reg credentials they only have one site they log into.

  13. Barry Rueger Silver badge

    Re: Sounds fishy to me

    I'm also a fan of Lee D's system - 99 times in a 100 I know the likely password from memory. Or the previous password for a security level, missed when I last did a global "change all passwords," sweep, a semi-annual practice.

    Barring that, I'm a heavy user of "Reset password" and will sometimes abandon a site if that's too cumbersome.

    For some reason user forums are a specific problem, which leads to multiple accounts of the Barry, Barry1, Barry2 variety.

  14. Fibbles

    Re: Sounds fishy to me

    Pick a reasonably long eBook and keep it on your phone. Pick a random line number, e.g. line 7 of every page. Every time you need a password pick a random page of the book and use line 7. Then instead of remembering a very long password just remember the page number.

    It's not a secure enough method for government work or anything like that but it'll do for most people's private email, forum accounts, etc.

  15. Robert E A Harvey

    done

    it asked me a few minutes after logging in, which was amusing. It reckoned I had not changed it since 2012, which is a bit rum because I only signed up this February....

  16. jms222 Bronze badge

    I believe this https://xkcd.com/936/

    so all my passwords are "correct horse battery staple"

  17. Anonymous Coward
    Anonymous Coward

    And its taken 4 years

    For them to decide they should remind users about this? Checking on inactive and spoofed accounts more like

  18. Teiwaz Silver badge

    Dropbox is mostly irrelevant.

    I signed up when Ubuntuone was cancelled, in the process of evaluating better services, currently trying out Mega (really nice webpage, well laid out and helpful). Only really use Cloud for non-critical file storage and device transfer.

  19. I Like Heckling

    Sneaky Password Concealment

    I have a parent who was always forgetting passwords and pin numbers... and wanted to write them down... So I suggest that if she needed to write down a password/pin, conceal it in some way.

    So for a long time her pin number was written down as part of a phone number in amongst other phone numbers and simple passwords were written down as part of a sentence.

    As for writing down passwords at home, I see no problem with that if you live in a trusting environment. My late aunt used to keep all hers written down in a little book in her desk drawer along with walk throughs/guides to do things that I'd taught her on her computer... as an 80yr old who'd suffered a couple of strokes and had memory issues it allowed her to do many things still as her tech support (me) was 250 miles away and unable to remote in due to her being in the countryside on a barely 1Mb connection.

  20. Anonymous Coward
    Anonymous Coward

    Re: Sneaky Password Concealment

    A friend of mine has mental problems. She knows passwords need to be non-obvious and secure, but normally forgets her password a few days after creating it, so she writes them down on pieces of paper which she loses wihtin a couple of weeks.

    The password reset mechanism usually depends on having the email address you had when you created the account - but since she loses passwords often, this includes email passwords. Recovering an email account requires you to have the phone you had when you created the account - but she looses phones frequently too. So she creates a new accounts frequently.

    Why do none of these dingbats have a way to contact them to retrieve the accounts?

    I suspect she, and others like her, account for 75% of all gmail and FB users, and they want to claim high user numbers.

  21. Robert Moore
    Happy

    Feeling smug

    I recently decided to change ISPs, and since I would be losing my old email address (Long since forwarded to gmail.) I decided to go through all the online services that I regularly use, update the email address, and while I was at it change all the passwords. Making them unique, and difficult to break/bruteforce.

    I also started using KeePass to keep them all sorted.

  22. I Like Heckling

    Had the email from Dropbox this morning... But I normally change my password everytime I get a new phone... Because I only use dropbox for uploading pictures taken on my phones to it (along with drive) to view on my PC... and only change my phone every 3yrs... I can never remember my password after that long and have to reset it anyway.

    So since 2012 I'm on my 3rd phone and would have changed it at least twice since then.

  23. William 3 Bronze badge

    Hopeful.

    I have three very secure passwords.

    The rest, I couldn't care less about.

    They're all the same.

    I keep living in hope that someone will hack into them & lock me out.

    Incentive to actually get a life rather than delude myself my opinion on forums means jack shit.

    Alas, as much to your chagrin as it is to mine.

    It has yet to pass.

  24. Tom 7 Silver badge

    I've forgotten it and its staying forgotten.

    Experimenting with a Nextcloud, pizero and a hardrive round at a friends. Seems to work so far.

    Need to see if I can get two people cohosting with me (and me for them) and thats all sorted.

  25. aberglas

    Nobody tells people how to manage passwords

    Lots of stupid advice about adding %X99 to them to make them hard to remember. But never the basic thing.

    Use (a few) strong passwords on sites you care about.

    Use a weak password everywhere else.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018