

Hundreds of Dropbox passwords leak online in alleged hack - snikch
http://thenextweb.com/apps/2014/10/14/dropbox-passwords-leak-online-alleged-hack/?utm_content=Hundreds%20of%20Dropbox%20passwords%20leak%20online%20in%20alleged%20hack&utm_campaign=Twitter%20Publisher&awesm=tnw.to_q3MFV&utm_source=t.co&utm_medium=referral

======
minimaxir
Link to referenced Reddit thread w/ confirmations:
[http://www.reddit.com/r/sysadmin/comments/2j5xkw/has_dropbox...](http://www.reddit.com/r/sysadmin/comments/2j5xkw/has_dropbox_been_hacked_passwords_dumped_on/)

Also of note is that Dropbox does not force complex passwords:
[http://i.imgur.com/v4h0g8D.png](http://i.imgur.com/v4h0g8D.png)

~~~
dokument
Nor do they likely salt (I hope they at least hash) their passwords.

~~~
ketralnis
Since nobody has said it yet... don't salt or hash your passwords, and don't
parrot the line "salt your hashes" because it's a massive oversimplification
and the easy/naive way is wrong.

Hashes, cryptographic hashes included, are designed to be fast. Unfortunately,
that means that they're also fast to brute force.

Use bcrypt[1] or a proper key derivation function[2] like PBKDF2[3]

[1] [http://en.wikipedia.org/wiki/Bcrypt](http://en.wikipedia.org/wiki/Bcrypt)

[2]
[http://en.wikipedia.org/wiki/Key_derivation_function](http://en.wikipedia.org/wiki/Key_derivation_function)

[3] [http://en.wikipedia.org/wiki/PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)

------
kondro
Dropbox has responded to Ars Technia (not sure if elsewhere)
[http://arstechnica.com/security/2014/10/7-million-dropbox-
us...](http://arstechnica.com/security/2014/10/7-million-dropbox-
usernamepassword-pairs-apparently-leaked/)

The update from Dropbox:

Dropbox has not been hacked. These usernames and passwords were unfortunately
stolen from other services and used in attempts to log in to Dropbox accounts.
We'd previously detected these attacks and the vast majority of the passwords
posted have been expired for some time now. All other remaining passwords have
been expired as well.

------
nevi-me
I'm still suffering from spam from the last mail address leak, and now this?
Time to respect my data and move it elsewhere

EDIT: Dropbox say the leak is from another service that has been compromised.
Does anyone know of a service that's been popular enough to store ~7'000'000
user credentials without instead using OAuth? If there is, how did Dropbox not
notice that, and how did we ad the Internet community not complain about this
service sooner? I assume 7 million accounts aren't immaterial to Dropbox total
users.

~~~
gdeglin
Could be another big service that didn't have any connection to Dropbox.
People re-use passwords a lot.

LinkedIn leaked 6.5 Million hashed but not salted passwords back in 2012, for
example.

------
glhaynes
Attempted to change my password; tried using Safari's suggested random
alphanumeric/hyphenated password; was rejected as invalid. :(

~~~
ninkendo
On my machine, Safari misinterpreted the password change form to be two "new
password" fields, and didn't get that the first field was an "old password"
field. So it auto-filled a new password for both fields, and it was rejected
because the old password didn't match.

FYI, don't try and "fix" this by erasing the top password and filling your old
one in... that will cause safari to forget that you're generating a new
password, and it won't commit the new password to the keychain (and you're now
locked out.)

Safari fares better on the password reset link though, which has two "new
password" fields and that's it.

~~~
glhaynes
Perfect, thanks for being more observant than I was!

------
timrosenblatt
Just in case you aren't using one already:
[https://agilebits.com/onepassword](https://agilebits.com/onepassword)

It's ridiculously easy and worthwhile.

