
Dropbox: Security update & new features - marklabedz
http://blog.dropbox.com/index.php/security-update-new-features/
======
parfe
I hope Dropbox uses google's authenticator. It supports multiple accounts and
won't clutter up my phone.

<http://code.google.com/p/google-authenticator/>

Their "Such as" example makes it seem they only decided to use 2-factor but
haven't chosen an implementation yet.

~~~
Harkins
A password as secure as my phone is not promising; T-Mobible was recently
happy to reset my lost PIN by having me give the last four digits of any phone
number I'd dialled in the last 23 hours. I don't really think it's as useful
two-factor because the token is only as secure as another company's password
system. (Aside from the problems that you have to have a Google Account and a
smartphone.)

I looked into this recently when Dreamhost launched google-authenticator
instead of two-factor auth. Disappointing.

~~~
maratd
Someone would need to not only have possession of your phone, but your
password as well. So for a hacker to work this:

First, get your password. Second, find your location. Third, steal your phone,
which for most people, is almost always on their person. Finally, crack
whatever security mechanism you have on your phone.

For someone to go through all that trouble ... you must be storing some very
valuable info. If that's the case, may I suggest that Dropbox is probably not
the right platform? In fact, any internet connected platform is probably not
the right answer.

~~~
andyzweb
well most "security mechanisms" on phones are a joke.

~~~
zumda
The point isn't the security mechanism, but for consumer products the point is
physical location. Without two factor authentication, a sweat shop in China
could hack you (and thousand others) easily. With two-factor authentication
they would need physical proximity to you, so they won't even try.

------
eoghan
The email they sent was unfortunate. It's from no-reply@dropboxmail.com. I
presumed it was a phishing attempt.

~~~
bbgm
Likewise. It's the kind of email I always delete.

~~~
jimdanz
Agreed. Excessively unfortunate that they didn't send it from @dropbox.com, as
I'd never heard of dropboxmail.com.

------
ghshephard
Good, solid response to the intrusion. I'm particularly happy about the two-
factor opportunity. I have no problem re-authenticating every 60-90 days with
an SMS sent to my phone, and _definitely_ want any new system to be two-
factored before having access to my Dropbox.

~~~
pseudonym
The only issue is that a lot of programs (mobile apps, especially) seem to
interact directly with the Dropbox API, which leaves no possible interface for
a secondary authentication. Google gets around this by having app-specific
passwords that you can generate and de-authenticate at will; it'll be
interesting to see how Dropbox handles it.

~~~
podperson
Good point, and perhaps the reason they're taking some time to roll it out.

------
eslaught
"A stolen password was also used to access an employee Dropbox account
containing a project document with user email addresses."

I see two ways to read this.

a) An employee happened to have a personal Dropbox account, and it was that
personal account that was hacked, in exactly the same manner as the other
accounts referenced. The employee probably used a different password on
Dropbox's internal systems, and as a result there was no internal breach.

b) An employee account for an internal Dropbox system was hacked, and this
internal account allowed the attacker to access the project file. In this
scenario, even though Dropbox made no specific comments to this effect, we can
assume that the attacker may have obtained access to Dropbox's internal
networks, so who knows what they could have made off with.

It makes a huge amount of difference to me which of those two readings
actually took place. In scenario (a), this all boils down to users (including
one particular employee) using the same password on too many sites. In
scenario (b), Dropbox could be hiding a much larger breach.

~~~
rdl
Why would an employee have work-related data in a personal dropbox account?

~~~
eslaught
Presumably because they dogfood their own product to their employees. I don't
actually know if they do that, but I do know a lot of other companies that do.
And it makes sense--if your employees don't use your product on a regular
basis, then you're in trouble. But apparently keeping company data in a
Dropbox account (personal or otherwise) also has potential security
implications.

------
meritt
Every time I see a Dropbox update I hope it is:

* Added ability to sync arbitrary directories

And I'm let down. Every single time.

~~~
gergles
<https://www.dropbox.com/help/175/en> and a symlink?

~~~
meritt
Yeah, I understand ways to work around it.. it's more of why isn't it a
feature? In SugarSync, Carbonite and Moxy I can quite literally do:

right click -> Sync Folder (or some variation thereof)

and it just works.

~~~
Dylan16807
Because where are you going to put it on the other computers? So far dropbox
has decided it's not worth the complication.

What you want is two clicks plus a confirmation popup and/or wizard. Moving a
folder and making a shortcut is two drags and one extra click. It's not a big
deal.

and it just works.

------
rdl
I really hope they don't make 2fa mandatory. I hate most 2fa systems I've seen
(I use Google Authenticator for one gmail account I have, and it makes life
even more of a pain than it needs to, even just on Google properties). Having
to reauth ~6 devices every month is obnoxious, and I already have a perfectly
good password manager with long random per-site passphrases, plus secure
storage of my key file and a strong memorized passphrase for it, unlocking
sets of passwords only on certain machines. 2fa, particularly a naive version
involving SMS or telcos, would make my security worse.

------
mattlong
> In some cases, we may require you to change your password. (For example, if
> it’s commonly used or hasn’t been changed in a long time)

This is ambiguous...by "commonly used" do they mean 1) I'm logging in with my
password frequently or 2) my password itself is a commonly used password? I'm
assuming (and praying!) they mean the former since the latter would mean
they're storing my password in plaintext.

UPDATE: Dropbox doesn't store in plaintext. I was incorrect to assume these
were the only two possibilities. Confer child comments.

~~~
rpearl
Dropboxer here. We do not store passwords in plaintext, or unsalted. End
sentence. :)

~~~
bonzoesc
How do you store them?

~~~
timdorr
I believe the implication is that they are stored hashed and salted.

~~~
skeletonjelly
With regards to security, I'd rather not read into subtext. Hopefully they can
provide a definitive answer.

------
drusenko
I'm curious who all received this email? Was it sent to the entire user base?
If not, what selection criteria did they use?

Everyone I've talked to seems to have received the "reset your password"
email. I'm quite curious because I'm certain (up until now) that the password
I used for Dropbox was both (a) not commonly used and (b) had been changed
recently and (c) not leaked anywhere else (to the best of my knowledge).

~~~
dschobel
I also received the reset email and my password for dropbox was a random
string generated by lastpass so I'm fairly confident that it wasn't leaked
elsewhere. I wouldn't be alarmed if you got the email.

------
wamatt
One of the more glaring security issues with Dropbox, is the way they are
handling 3rd party integration.

Giving full access to some random new startup or app is NOT cool. Sure I don't
_have_ to, but people also like to try new stuff, and the integration is half
the reason for using cloud services in the first place.

In fact this really applies to all 'platform' plays facebook, linkedin etc.
Rather request minimum priviledges to inter-operate or authenticate, rather
than sweeping authorizations.

------
bierko
I love the art at the top. Go Jon!

------
MrEnigma
When are email addresses going to be considered something that should be
protected as well. Obviously you can't one-way hash these, but you can secure
them, and definitely not leave them in project documents.

------
davidcollantes
"In some cases, we may require you to change your password. (For example, if
it’s commonly used or hasn’t been changed in a long time)"

Commonly used? What do they mean by that? Aren't they supposed not to know my
password?

~~~
podperson
Good question, but perhaps it's shorthand for "your password generates a hash
matching that generated by passwords found in various stolen password lists in
circulation".

~~~
Jabbles
In which case they're not hashing the password properly, they're likely
checking the plaintext password as it's sent over HTTPS.

~~~
podperson
They do not need to transmit plaintext passwords, they merely need to pick
when and how to salt each password carefully.

What they can't do is randomly salt each stored password.

------
bambax
This remark may be OT but why use a grey font on a white background?!? This
makes the blog very difficult to read. Please don't do that.

------
cottonseed
What's the best password manager?

------
five_star
I didn't receive a reset password email. Good thing that I don't store
important files in it.

