Hacker News new | past | comments | ask | show | jobs | submit login
The Dropbox hack is real (troyhunt.com)
1313 points by joshschreuder on Aug 31, 2016 | hide | past | favorite | 539 comments

Make sure you sign yourself up for something like https://haveibeenpwned.com if you haven't already. Sometimes being timely in responding to leaks can make a big difference on any further leaks.

This was a strange way to find out that I have a Tumblr account.

Exactly my reaction.

Myspace and Adobe, neither of which is present in my password manager. Huh, no memory of those.

I think there was a time when it was once considered a vaguely normal blogging platform.

It's abnormal now?

Lol, that was my initial thought too. Also, I obviously once had an account on vBulletin.

Haha same here.

Also note the guy that runs it is the one that wrote this article.

Wow, thanks for this. I just found out that my email address was breached 3 times, while only one company sent an email informing me of the breach.

Also, LastPass uses a similar site, plus it's specific knowledge of your passwords (last time it was changed), to let you know if a password has been compromised.

Not sure if 1Password does as well, but it seems like a fairly obvious feature to add.

1Password has a "Watchtower" feature that "identifies websites that are vulnerable to Heartbleed". Also under Security Audit are sections for Weak Passwords, Duplicate Passwords, and groupings of password ages (3+ years old, 1-3 years old, 6-12 months old for me). It does not appear to keep track of leaks/hacks.


The problem with this feature seems to be that it thinks if the site reissues its certificate it means all passwords there were compromised. Which leads it to mark all old passwords as vulnerable, even if no breaches were actually reported for the site.

The certificate/password link is a guess since on their website they say to change the password starting with date that matches the date of certificate reissuance.

This seems to be related to Hearbleed, also it lists a site that didn't reissue certificate after Heartbleed as vulnerable too, and so for passwords there, seems to be regardless of age.

I am a long-time 1password user and have a lot of old passwords, so for me like 90% of passwords are listed as compromised, which I'm pretty sure is not the case.

It does.

Can't upvote hard enough. Also, it is shocking how bad security is for all these games I've played over the years. The publishers seem to be the source of the vast majority of these leaks I've been caught in.

Thankfully the notification emails from this service are prompt and helpful (not to mention totally free).

Ironically, https://haveibeenpwned.com certificate is signed by StarCom, which is the same as WoSign https://news.ycombinator.com/item?id=12411870 which means it basically trusts a known scammer to provide its security and one should not be giving this site any information you don't want to see in public.

I think it should hash entered email client-side in JS to be more trustworthy. I am a bit worried about giving my various email addresses to some random site.

If you don't trust it to keep your email safe why would you trust it when it says it's going to hash your address?

Also it's an email address, not your credit card number.

I'm not sure how much I can trust the results of a site that claims an email address I only use for one site has been breached on sites and services I've never been to. However it's calculating if what you enter into the form appears in the leaked content sure gives a lot of false positives.

Which I suppose forces more awareness, but it doesn't instill a lot of confidence.

From https://haveibeenpwned.com/FAQs :

Why do I see my username as breached on a service I never signed up to? When you search for a username that is not an email address, you may see that name appear against breaches of sites you never signed up to. Usually this is simply due to someone else electing to use the same username as you usually do. Even when your username appears very unique, the simple fact that there are several billion internet users worldwide means there's a strong probability that most usernames have been used by other individuals at one time or another.

A false positive from your perspective doesn't mean your email address isn't actually being used to sign up for things.

My primary personal email address is routinely used by a small handful of other real people (all strangers) for all sorts of things - college applications, car insurance, some address books think it belongs to a cousin who gets included in a lot of group threads about reunions and full of photos. I've found the families more difficult to unsubscribe from than the services, name+email associations spread like a virus. I routinely get alarming/misleading "Someone has your password!" security alerts from Google after someone tries to list my email as a backup account.

These little strings we use to identify ourselves can be typed by anyone, anywhere, bot or human. I wouldn't worry too much about false positives.

I wouldn't worry too much about false positives.

It's not that I'm worried, it's that it's a distraction. When the margin of error is high enough, it becomes less signal and more noise, which leads to either panic (spending all your time managing access credentials) or complacency (ignoring the indicators).

I have the same problem. Do you have any suggestions on how to handle such emails?

Its worth pointing out that other people can use your email address to create accounts. It's just a string of characters to type in.

They might not even know it's yours, like if your email is davidsmith@gmail and they fat-finger davidrsmith@gmail--boom, "you" now have an account.

Good services use double-opt-in to ensure that every account is actually tied to a correct and working email address. But not every service does this.

And even services that do use double opt-in would create a row in their database to note that a confirm email was sent out. If they never scrub those invite rows, "your" email address would still be in the DB when it's exfiltrated, even if the confirmation process was never completed.

I think false positives like this are worth reporting upstream.

FWIW I was subscribed and didn't get anything until this most recent breach. Unfortunately GMail thought it was spam (speaking of false positives!).

true... but unfortunately in this case (Dropbox) you would have gotten a notification about 4.5 years later ;-)

Damn, thanks for this. It seems that I've actually been pwned at some point.

Fun fact: Have I Been Pwned neither salts nor hashes the creds which it stores on its website, potentially making itself an interesting target for hackers[0]

[0]: http://risky.biz/RB388

HIBP doesn't store passwords, it only stores usernames and email addresses.

apologies, s/"creds"/"user data"

How exactly do you expect them to send an email to an address they only have a hash of?

HIBP hosts only completely Public alread leaked data -- that's how they source their data

Dropbox should absolutely be held to the flame for trying to downplay the severity of this. Their communication says 'This is purely a preventative measure', but if you had/have reused this password on any other sites (let's face it a huge proportion of non tech savvy people do this) then your entire online presence may be exposed.

Genuinely curious, but what do you think the severity is?

Everything I know about it (this article included) places the Dropbox leak very low in my sense of severity.

The severity stems from the unfortunate fact that a password leak retroactively, and silently, destroys your security across all sites that use the same or a similar password. Even if you started using the longest, randomised, two-factor-authenticated password system last year, all those forgotten or seemingly unimportant accounts are suddenly exposed.

Even when the exposed sites have minimal information or impact, minor information in aggregate adds up to a lot of danger for escalation and social engineering.

Now consider that there are huge swaths of people with the same password that they've use for email, banking, medicare, and everything else.

A proper response from Dropbox would be to explicitly and loudly inform every leaked email address (not just their current users) that they need to immediately change every password across any and all sites that might use the same leaked credentials.

Furthermore, Dropbox should set up a secure site with a unique link per email address that allows a user to key-in and check their memory against the exposed hash. I know that I have changed my password for Dropbox at least twice since 2012, but in 2012 I might have used an insecure password. Allowing me to figure it out before a nefarious party would allow me to better judge the potential personal impact.

That's true if your actual password is leaked, but as described in this post, it is very unlikely that actual passwords could be retrieved. Still a non-zero risk, but I could see a case that the severity of that risk is low.

The significantly greater issue imo is the leaking of email addresses and ensuing spam.

> That's true if your actual password is leaked, but as described in this post, it is very unlikely that actual passwords could be retrieved.

If I'm interpreting the hashcat screenshot correctly (I'm probably not, and even if I am it's probably skewed by init overhead or by not counting the final result) it looks like passwords can be attacked at ~6ms/dictionary attempt against the bcrypt passwords? While HIBP didn't get their hands on salts for the SHA1s, that doesn't mean they weren't breached as well.

I take it as a given that all high value dropbox accounts with a weak password in this breach will be pwnt.

Then again, it took until last week for anyone to try and grab my Minecraft account (successful email change, but successful resecure.) Given that HIBP knew about 1 of the 4 breaches I'm aware of for similarly weak passwords, I'm surprised it took this long... (I've since finally gotten off my ass and better secured all the legacy old terribly passworded accounts I can think of / were listed in my password database...)

I think the risk is a lot higher than described by this post or dropbox. There are nearly 70 million credentials, and email addresses actually contain a fair amount of heuristic information for an attacker. For example just filter down to addresses from hotmail or yahoo, and suddenly you have a list of credentials that are far more likely to be susceptible to a dictionary attack.

As far as what we know about these cryptosystems today, the passwords are no more accessible via this breach than they are when you send them over TLS. How is that severe at all?

The first time I saw the email I believed that Dropbox was taking it as a preventative measure because they thought they were breached -- not that they were breached. This information as hidden behind the link to more information in the email itself.

did dropbox ever write up the details of how they were compromised and what else the attackers may have taken?

If not, there's nothing to suggest they didn't take other things.

Non tech savvy? Everyone does this. It's practical.

Sure most of us have a few passwords we reuse, but I know less than 5 people with truly unique passwords.

Considering the consequences of password breaches, it's decidedly impractical. Password managers make it very easy to have unique passwords for all websites.

I don't even know any of my passwords.

How many people were using password managers in 2012? The impact is huge because leaks are silently retroactive. Unless you have captured and changed every single possible account you ever created with the leaked 2012 credentials (before or after), you might still have a lot of exposure.

Except the one to your password manager :)

This scares the crap out of me. I have to remember this one, super long and complex password for my password manager. If I ever accidentally paste it somewhere else, type it in somewhere or somehow it's leaked from the password manager then I am completely screwed. This one, tiny thing can completely turn my life upside down. For sites that require security questions those are easy to game so the only way to be secure is making up answers. So I wouldn't even be able to reset a large amount of very important passwords!

I wish we had a better alternative to passwords. Something that's actually good, solid, can't lose or forget. I get the feeling we won't have that until we can start implanting chips in ourselves.

It's really not so bad. I was reluctant to use 1password until being forced to by work, and discovered how wonderful having a password manager is.

First off, your passphrase should only be used for the password manager itself. So if you accidentally paste it on twitter, you just change your passphrase.

Secondly, you're way more easily fooled than a password manager. I don't know my passwords (they're generated), so to phish me you have to convince 1password as well. That means e.g the google open redirect bug on HN yesterday can't trick me with a fake password page on a different domain.

Third, it makes your passwords way easier to use on mobile. Most of the managers support whatever biometric integration your phone has nowadays, so rather than trying to type your 24 character alphanumeric symbol crap (or worse, a crappy password because you didn't want to make a good one on mobile) by hand you can just paste it in.

Lastly, it encourages you to actually use separate passwords for all your accounts. And when passwords get leaked, your manager can tell you which sites need new passwords.

In conclusion, password managers improve your internet security and experience immeasurably. Go buy 1password!

- satisfied 1password customer

Make sure you turn on 2FA on your password manager. That should allay most of those fears. (Of course you would still change the password if it was leaked somehow.)

1Password doesn't have 2FA because it needs to decrypt your data. It does have a long "secret account" key that you need along with your password.

I use a pass phrase which is much easier to remember. I know the source material for my pass phrase so if I need to reconstruct my master password I go to the source material and convert it into the password by encoding the first letters, punctuation symbols and letters from the passphrase into the password.

I need to get into the habit of exporting my password list to plaintext csv and storing it in a safe or safe deposit box but I haven't disciplined myself for that yet.

I am worried about the ability for the 1Password database to be hacked if someone were able to get their hands on that.

> I am worried about the ability for the 1Password database to be hacked if someone were able to get their hands on that.

This is one among several reasons I don't go in for any "cloud" based syncing of password managers. I use keypass and sync the file with syncthing on LAN only mode.

How about using the password manager to store security question answers too? It's mildly inconvenient because each site seems to require at least three, but then you wouldn't risk forgetting them and you could use random generated strings instead of having to make them up.

> How about using the password manager to store security question answers too?

That was my point: I use my password manager to store those security questions and answers but if someone got ahold of my password manager account I would be screwed because many sites require the answers to those questions to reset a password.

You just immediately change the master password and delete previous versions of the database file ?

Not really. If someone gets into someone else's password manager they can easily get a copy of all usernames and passwords and, if they're quick enough, they can start resetting them / closing them / committing fraud.

So yeah change the password and delete previous versions is a good first step but everything else has already leaked to who knows where.

I've been pretty happy not even knowing that. (YubiKey OpenPGP smart card + pass) It feels natural for my password manager to be just another thing I have to unlock with a physical key. The security concerns in practice are similar to that of my house keys, so there's pleasantly little mental overhead.

What happens to your password vault when the key suffers a malfunction? Or you lose or physically break it?

The key is backed up offline on digital media and paper. As with house and car keys, recovery from damage or loss is costly and inconvenient.

Well, yes :)

my approach to this consists of 4 security "levels": 1. I have one "throw away" password for services I don't give a fuck about 2. 2 passwords for ordinary services (breach cannot cause any serious harm and I can reset the password over my e-mail) 3. 2 other passwords (pretty easy to memorise but almost impossible to guess) that I use for my school mail, IDE, other mail accounts 4. a unique password coupled with two factor auth I only use for my primary gmail - as long as I have ownership of that, I can restore access to basically any other account I use.

ad. 1: I find it a pretty good idea to also have a secondary junk mail for signing up to these services - just in case they give my e-mail to someone for spamming or get breached.

> as long as I have ownership of that, I can restore access to basically any other account I use

And therein lies the rub. Single point of failure for your whole intricate security setup.

I have the same problem.

Thad great that you use a password manager but the majority of Internet users probably don't. What's your point? Either way you look at it if Dropbox was breeches then it's the responsible thing for them to do, to disclose.

I do not have the privileges to install a password manager on my work desktop PC. So that doesn't really work for me.

You probably shouldn't keep/use any personal passwords on your work computer anyway, but Keypass offers a portable executable that does not need to be installed.

No, lots of people use password managers. You should try one.

I tried lastpass and it's been nothing but a pain in the arse. I still use it but I frickin' hate it.

If you're on a Mac, 1Password is a monumentally better experience.

Why not just use keychain?

Two of the most compelling reasons are cross-browser support and a better cross-device experience. For example, viewing/editing Keychain password on an iPhone requires burrowing into the Settings app, whereas 1Password has an excellent app and extension.

Works great until it doesn't (multiple user profiles in your browser, HTTP auth, non-browser based stuff like VPNs).

Wouldn't multiple user profiles have their own extensions? If so, then just install the extension on that profile? IIRC 1Password was working on something related to that, so perhaps that has changed recently.

HTTP auth not working is a bit annoying, but it's not a massive deal when you can CMD+ALT+\ and copy-paste it. Same deal with non-browser based stuff.

I am on a Mac - I'll check out 1Password thanks

Use an algorithmic password. Pick some easy to remember keyword, then work some of the letters of the website into the password so each site is unique. For example, your seed could be "horse", and your gmail password would be something like "hgomrasiel". I've been doing this for ten years and haven't forgotten a password yet. :)

I would like to do this, and I thought about using an algorithm that uses the domain name as the seed, however different sites have different password policies, and expiration times which would make this very difficult to manage in practice. I wish all sites support things like OpenID so I can have one central place to sign in with 3-factor authentication.

This comes up sometimes but I've found it to be less of an issue in practice than you might think. Occasionally I have to make an exception for my bank or gmail. If you do have to make a few variations at least it's only two or three passwords you have to remember instead of a different one for every login.

I'd argue with a password manager it's more pragmatic to have a different password everywhere. I know two passwords and use my manager for everything.

Anyway, tech-savvy folk are more likely to setup their own file-sync server. It is the non-tech-savvy people who are the primary users of dropbox.

Not many tech-savvy people have time to set up and maintain a personal file sync service that works across their laptops, phones, and tablets.

Second bit of data for that claim. I use dropbox because I can't be waffled to set up my own dropbox nor do I have the free time even if I did want to.

It was pretty obvious the dropbox hack was real several years ago, because lots of spam mail started arriving at my dropbox-unique email almost immediately after the breach. I changed my email to another unique address quickly back then. Unique-per-service email addresses work pretty well as a canary for breaches. Just make sure there is more uniqueness than just the service name to such addresses, or someone could see your pattern and start spamming by guessing popular services.

On a side note, don't forget the time dropbox accepted ANY password during logins - http://www.cnet.com/news/dropbox-confirms-security-glitch-no...

> Unique-per-service email addresses work pretty well as a canary for breaches

I do this too, but it taught me everything is breached - the local ambulance service, the local computer store, the local car share, small businesses overseas that I've placed orders with.

Some of the big names don't seem to be, which is lucky because otherwise I'd be wondering if it was the ISPs that had been breached. Either large chunks of SMTP routes are breached and picking up confirmation emails, or there's a giant iceberg of pwnage floating beneath the surface out of view.

> giant iceberg of pwnage floating beneath the surface out of view

Very poetic. I'd like to see this made into one of those motivational posters and hung in the office of every dev team nationwide.

The tip would be labelled "User Config", while the remaining behemoth, respectively: "DNS".

For the sysadmins out there ;)

My favourite was the unique email I used for a Russian visa application. Either the consulate was ridden with malware, or they just sold my address.

Were you actually at a consulate? Most russian visas are (pre)processed by private companies.

In that case there are probably lots of travel companies who would buy that email list.

Consulate. Most Russian visas in Europe are processed by consular services, unless you need it done quick and/or from a remote place.

I got many Russian visas in my life in Europe and not once did i not use an intermediary. In Austria if you want to go thrrough the consulate you need to go through VHS first. In London VFS does it etc.

Shouldn't the word be"riddled with"?

I also do unique aliases for each account I have. Few of them have been a source of spam.

I also have expiring subdomains. So I'm not using domain.com, but something like b2.domain.com. The rationale is that if I start receiving a lot of spam, I go through all the accounts I have, change all emails to use another subdomain like b3.domain.com, and then invalidate the old subdomain entirely. I haven't had to do that yet and my domain is several years old.

With two big exceptions: the email address I leave on my website and the email address I publish on my GitHub profile. These 2 have dedicated throwaway domains like throwaway283728@domain.com. Because you wouldn't believe how much spam I get from that GitHub profile, not just recruiters, but also get rich offers from princes in Nigeria and Viagra pills.

I used to use unique middle addresses for magazine subscriptions, back when magazines were physical. I'd get credit offers with middle name "Byte". Consumer Reports used to include a false advertising hall of shame; I loved sending them an example sent to middle name "CR". They didn't use it, or even answer.

> it taught me everything is breached

More likely, sold. Every service that collects user data will get offers, and many can't resist the temptation.

Doesn't matter however, businesses that will sell you to the highest bidder (and in many cases, outside the US, illegally) can't be trusted to ever seriously invest in security. So if they aren't breached, they sooner or later will be.

Back when I ran a mail server for a small business, I would see the spammers literally going through all the permutations of email addresses for a domain. In the logs you'd see:

failure to send to a@example.com

failure to send to b@example.com


failure to send to aa@example.com


Or these places sell / give away your email address?

Oddly enough I have had the opposite experience.

I have been running per-service emails for 10 years and wonder to myself if it is worth the bother as I can recall only one ever spreading.

That has been my experience as well. Only one alias in about 10 years ever got undeniably sold, and that was because the company went out of business and probably sold their entire portfolio.

Interesting. The plot thickens.

I don't have any fancy script to check these addresses - I have to go into my spam headers manually, and I've not done that for a long time. Perhaps there was a common issue a while ago that got patched. I'll have to check whether modern addresses are being spammed.

My experience also is that there is pretty limited sharing, even among business partners. The worst was when the idiots at Aweber, the email marketing service, were hacked, and I had waves of spam coming in on many per domain emails. Six months later, Aweber was hacked again. Another wave.

I would be interested to know if you use a provider or host your own email.

I mention that because most of the ISP do have re-targeting efforts.

Also it would seem more likely that your email provider is breached as opposed to lots of other companies/servers.

How do you guys do this? IS there a service? Do you add na.melast@gmail Or do you create them on your own domain through the hosting company?

I use a catch-all (*@mydomain.tld), and forward everything to the same place. Really simple and I can just make up email addresses on the fly when I need to, no config necessary, and harder to reverse than the +addresses trick.

You can use anything after a + character with Gmail.

E.g. myaddress+service1@gmail.com will go to your inbox and you can filter on it.

But not every website out there allows you to enter this as a valid email address.

My earlier hypothesis was that this was on purpose, to make sure you don't use a filter on any email they might send. But these days I'm tending to think it's just a bad regexp on their side.

Even worse, some sites let you enter a plus address initially but that address will not work in some account management pages. I had an instance where I signed up to a pizza place with such an address and I could not unsubscribe or edit my mail preferences because of it.

For example, overstock.com. Their registration page lets you use '+' address, but their login page forbids it.

If you are just starting to do this...it's very easy to forget you did it for a particular site.

"I can't log in and to boot your site says there is no account matching first.last@gmail.com. What kind of Mickey Mouse operation are you running here?"

"Sir, you are an idiot."

If you're using a password manager, that's a non-issue. And until we have something better than passwords, you really should be using one.

That's a solid point. I've generally avoided password managers because not knowing my (unique-per-service, strong) passwords makes me nervous in exactly the same way as not actually knowing the phone numbers of the most important N people in my life.

You'll get over that little hurdle once you realize that you can dump the anxiety of remembering a hundred password variants for different sites. And realistically speaking, you're probably not even using a hundred variants...or possibly even 10. If you're memorizing passwords, chances are your re-use frequency is nonzero.

What's important is to keep a backup of your password database in a few places. I use KeePass because I have no desire to keep passwords, encrypted or not, in a cloud service. I also don't find value in browser integration (possible attack vector?). I'm generally very DIY-inclined anyway. Your preferences may vary.

Thanks, I'll check into KeePass.

And trade it for the anxiety of your manager getting pwned.

I guess you aren't familiar with KeePass. If your KeePass database is pwnd, that means your box has been pwnd since the database is stored locally and not any cloud provider (unless YOU put it there). This means you have much bigger problems and is not a shortcoming of KeePass, itself.

As a full disclaimer, there are some issues with KeePass [1], but known issues are detailed in full by the project and are available for review.

1. http://keepass.info/help/kb/sec_issues.html

A hardcopy backup is also wise

I'd image most shady spammers would know enough to filter out the +.

For gmail, you can also put a period "." anywhere and it still works.

It's often called plus addressing. Quite a common feature in mail servers and mail services. MyName+<any-random-text> at gmail.com ends up in MyName's mailbox.

Doesn't that defeat the purpose? Surely anyone savvy enough to be dealing in black-market e-mail address lists is savvy enough to just remove everything after the + sign?

Probably yes. The software I'm using supports configuring the character per domain, so I can use say . instead of +, so I could use myname.service@example.com which I assume would solve that.

You never use the bare address. If it gets stripped then it gets binned.

Works well until you encounter a service that thinks you can't have pluses in emails

What do 'bare address', 'stripped', and 'binned' mean in this context?

I don't agree with him, but he means you never use the email address without a "+service" in it.

Then, if the spammer strips (removes) that part, it gets sent to the trash (binned).

There is such a service: 33mail.com. I've just signed up.

I use Fastmail, which provides very nice wildcard aliasing under a domain. *@mydomain goes to a single inbox. I can also create specific aliases such as foo@mydomain.

I have a wildcard redirect so that <anything>@mydomain.com is forwarded to me. That way whenever I sign up for a service I just use, e.g., dropbox@mydomain.com.

I used that practice, and ended up selling the domain. Updating everything was an absolute nightmare as a result, and I couldn't make a simple request like, "please forward my one primary email address to me for the next few years." YMMV :)

Don't sell your domain until you've done a search for "to:*@example.com" :)

Personally, I worry much more about ad-hoc stalkers or angry people doing semi-manual digging. Such a scheme wouldn't help much. Does anyone know a convenient pipeline for managing (receiving, creating, disposing of etc) 3-rd party email accounts?

Have email on you own domain is risky unless you active manage it. Otherwise forget to renew your domain once, all your credentials are gone...

You definitely need to remember to renew it, but a yearly repeating event in your calendar should be sufficient. That's hardly "active management".

> it taught me everything is breached

Everything is breached. From websites to software to hardware, I would estimate the majority of them can be/have been exploited by advanced hackers.

I'm awaiting the time when we all acknowledge that computers are fundamentally insecure.

I've been using unique-per-service email addresses quite a while, and I maintain a list[1] of all offenders that have leaked my PII.

1. https://gist.github.com/eligrey/5084991

That's a much smaller list than I expected. I don't differentiate between those that sold and those that ignore unsubscribe (and a few that just have very contrived unsubscribe systems), but I have over a hundred per-service emails attached to disabled accounts (as aliases) to block them forever.

One that stands out in my head is Cadillac. I had requested a brochure for a CTS, and I got random unrelated spam just days later!

I also actively watch my unique-per-service email addresses but have not started with a list, yet. Might be a good idea.

Good idea.

I do the unique address thing, but I also have another system for giving out temporary email addresses. If I want to hand an email address which I know should not receive email after say, this Saturday, I'll just give them "2016-09-03@tmp.grepular.com" - I don't have to do anything to set that up, it will accept mail as long as the date isn't after 3rd September 2016. I blogged it up a while ago here:


Interesting. I've been considering doing this but, frankly, have been too lazy to implement it. But if you are using a password manager anyway, what's one more field?

> On a side note, don't forget the time dropbox accepted ANY password during logins - http://www.cnet.com/news/dropbox-confirms-security-glitch-no...

I've not forgotten, and this glitch has kept me from ever considering opening a Dropbox account.

I'm surprised everyone else seems so forgiving of this massive screw up.

Haha for me it's the opposite. My password never works in Dropbox. I think it's because they don't support spaces in passwords, but they don't tell you when you change your password. They just accept the change and then you can't login.

There are many sites with little exceptions like that. I think that their password filter allows the characters, but their backend input sanitization doesn't, so it cleans it up and inserts a transformed version of the pass without providing notification. I've found this happens particularly often with passwords with symbols like !, #, or ;.

In general, this is one of the most frustrating things with trying to secure yourself online. I have gone through like "I WANT TO USE PASSPHRASES" then gone to places like PAYPAL and had them have an upper limit on password length. It's absurd that they all have slightly different requirements. I am switching to a password manager now.

This problem has been noted for some time. Past articles on the subject have shown how the various requirements for passwords come about through a combination of limitations imposed by the system they're being used on, or through misguided attempts at making things easier for users.

I wonder if there has ever been an attempt through a forum like RFCs or ISO to define a worldwide (or at least latin char set) standard for password requirements. Based on what i've seen in forums like this, there seems to be fairly broad acceptance that allowing a large number of characters from a character set with as few limitations as possible bests serves the interest of security. The thorniest issue would likely be about balancing requirements for increased complexity (eg capitals and lowercase, numbers, etc) with ease of use.

I'm using password with spaces for Dropbox without any problems. Must be something else is an issue at your side... Have you tried resetting it ?

Totally. You wanna talk about people forgetting? It seems everyone has totally forgotten (or forgiven) that Dropbox was mentioned specifically in the Snowden leaks as a source.

are there better alternatives though?

"Better" is subjective. I consider Google Drive much better, personally.

Alternatives, though? Plenty: Google Drive, Box, OneDrive, iCloud Backup and iCloud Drive.. the list goes on with a simple Google search for "online storage"

Does google drive work the same way as Dropbox? Cross platform, acts as a folder in your home dir, selective sync, etc? Seriously ready to move on from Dropbox and my google fiber account comes with a free terabyte of google drive.

I've never set it up but I believe that you can get it to work the same way.

Install the desktop application: https://support.google.com/drive/answer/2374987 Change sync settings: https://support.google.com/drive/answer/2375083

The Windows and Mac clients create a folder in your home directory. There are ways to rename it, but essentially anything you put in the ~/Google Drive/ folder is synced just like Dropbox.

No native linux support is a bummer, but if you only need to use it there infrequently, the web client is quite capable for manual uploads and downloads.

IIRC it has limited linux support, but works that way in windows/macOS. Another article today mentioned rclone, if you need linux support.

There's no Drive for Linux, alas.

Don't forget Spideroak! They offer end-to-end encryption of your data.

if you are willing to use a rather more complicated system with harder setup, syncthing.net is great, it syncs files between your computers without needing a cloud service.

For more similar alternatives, running owncloud on a VM is straightforward. And, of course the featureset is limited compared to Dropbox.

I had big problems with OwnCloud. Specifically it ate files at work, but did so in such an insidious manner (slowly, over time, with no indication that anything was wrong) that I don't trust it to this day. I haven't checked lately, but the issue was acknowledged by OwnCloud devs, with the workaround being to "use a secondary sync application" (no kidding). These days I use Seafile, and I can also say that your suggestion of Syncthing is a good one. I have used and enjoy both Syncthing and Seafile. Just a word of advice: Don't trust Seafile to encrypt your data. Use Veracrypt (or equivalent) in place of the built-in "encryption" offered by Seafile.

box.com is pretty good. I've personally used it for several years now and I can't recall the last time there was any real issue with it, usability or security-wise.

I cannot agree more, I do the same, and invite everyone else to do so.

- Useful as a canary of which website has been breached

- Useful as a canary of which website sold your details

- and if your details are in the wild, you can stop the spam by deleting the address

Credit cards should work the same way: a unique authorization code specific to this vendor or this transaction and useless to any other actor.

Re: credit cards, unless you insist on using debit cards for some reason, who cares if they are compromised.

If someone steals my credit card, AMEX has a problem. I'll take reasonable care, but I'm not going to generate transaction specific numbers or whatever unless there is a strong incentive to do so.

Because it's annoying to constantly get new credit card numbers. You have to update all your autopays. You can't get a new credit card instantly. Being denied due to fraud is embarrassing. You may be out of the country and stuck with a non working credit card. It's another thing to deal with.

I wish that it was much easier to generate temporary credit card numbers for all transactions. Like upon entering real number it would generate one and swap it for you.

I believe that's pretty much what Apple Pay and the like do.

Correct. My android pay says "a virtual number ending in xxxx was used to make this purchase." It would be nice if it was a token instead of an actual credit card number. I have no idea how is implemented.

Many had this feature (and Paypal for a while) but dropped it for some reason. My guess is they want to encourage subscription/repeat billing or some kind of fraud was rampant generating temporary numbers.

and AMEX passes the cost of that problem to all AMEX customers. You are still paying for it in the end.

how so? when a card is fraudulently used to make purchases, AmEx is not refunding you from their own pockets. they take back the money from the merchant it was fraudulently spent with (a chargeback). no loss at all on their side.

Which is then passed on to customers through slightly higher prices for goods.

But there is usually no way to opt out of this. Paying for it and not benefitting from it is lighting money on fire.

not really, prices are based on market demand. the market does not care about fraud issues and such.

whatever the theoretical rise in price would be (due to the fraud), don't you think the merchant would price things at that level in the first place to make extra profit, if they could?

For credit cards, check out privacy.com

I recently started using it, works great.

The fact that they publicize their 32-bit PGP fingerprint on their "security" page does not lend confidence in their security practices. Granted, there's also a link to the full PGP key, but the use of short fingerprints for any purpose should be verboten.


This looks pretty cool, but seems like they are invite-only for now... Any chance you can drop an invite for a fellow HNer? :)

I've got an invite, contact me via the email in my HN profile and I'll send it over.

I just checked their sign up page, turns out they are only available in the US for now :(

But thanks anyway!

I found an early access code on their twitter: "NETTED". They posted that 1st August, so I'm not sure if it still works, but give it a shot!

Wondering how this works. If one is using different number per transaction where they are getting so many free numbers?

Reading their footer, it says: "The Privacy Visa Card is issued by Customers Bank pursuant to a license from Visa U.S.A. Inc."

So, it seems they have some kind of partnership with a bank, which is able to generate unlimited card numbers for them.

geez, privacy.com, I wonder how much that domain cost.

I'm using a card from getfinal.com, which appears to be the same idea. So far so good, though it's not 100% disposable, I still have a plastic card who's number is no easier to change than a chase card.

Hey! I work at privacy.com - would love to get your thoughts on our product. Hit me up at bo@privacy.com for an invite if you're up for it. I'll tell you how we got the domain :).

Nifty. Discover Card offers this--or at least did when I was using it.

They got rid of it.

Is there a service (email host) that can give you "infinite email aliases"?

(Yes, I know about the '+' in gmail, but I suspect the word is out on it)

You can setup wildcard alias in fastmail (https://fastmail.com) and literally create addresses on the fly when signing up/sharing your email.

Fastmail has a really nice subdomains feature - I have an alias in fastmail of 'shop@mydomain.com'. Any email for XXX@shop.mydomain.com gets delivered to shop+XXX@mydomain.com. Better than catchall, because all the spam gets sent to JohnSmith@mydomain.com, which is dropped.

But you can't delete that alias if you start receiving spam on it, can you?

Also like realemail+alias@gmail.com, this is really transparent to a spammer and gives away the real email.

The benefit it has is that the 'shop.' subdomain can't be guessed from the DNS records. I get a lot of spam to <randomname>@mydomain.com.

Of course, if someone sees my email address, they could certainly infer a new one. But I'll deal with that if and when I get singled out. I don't think the spammers often actually look at the millions of addresses they use.

If I start getting spam on a particular alias, I can set up filtering rules to delete them.

Wow, this is great feature, thanks for the tip! :)

I use Google Apps for Work on my domain, which lets me forward all email to any address on that domain to my inbox. That way I can use adobe@ryanplant.net, github@ryanplant.net, fitbit@ryanplant.net, etc.

I do this exact same trick and have been using it for years. It led to a couple of brief and somewhat awkward phone calls with local business owners when I asked them rather pointedly about them sharing my information with third parties.

I also take this one step further and have inbox rules to automatically send all promotional email (from sites I'm interested in) to the trash folder. If I want a coupon for a website I frequent, I'll just search my trash for the latest offers from that company. Google conveniently purges messages from the trash folder every 30 days or so, and I don't have to worry about a massive backlog of promos.

A Small Orange does this cheerfully, even for the smallest shared hosting plan. You can then go into cPanel to configure a catch-all account for the domain you're using.

Biggest downside to ASO: you have to pay $7/yr extra on domain registrations to make them private. So I register with Hover and host with ASO.

mailhero.io lets you set a username, then anything sent to *.username@mailhero.io is forwarded to an e-mail you choose. It's only somewhat an e-mail host at the moment (added a few weeks ago), and it has stated that the hosting is only temporarily free, but if you already have a host this can give the feature without requiring any form of migration.

There was an HN discussion about it fairly recently, https://news.ycombinator.com/item?id=11781361

The problem is, I have yet to someone who accepts '+' in email address.

"a unique authorization code specific to this vendor or this transaction and useless to any other actor"

Sounds a lot like a bitcoin address.

...except not traceable, works with people's payment systems, sends actual US dollars, and doesn't have a 5% chance of getting stolen.

That's an amazing system you just invented, I wish it existed :-)

Fine, "not traceable by arbitrary people on the Internet".

I know the credit card company and everyone they share your data with can see your transactions, and that's a problem some may wish to avoid, but that is still a much smaller number of people who can see your transactions than Bitcoin. Bitcoin does not inherently include privacy.

I wish phone numbers could work this way. When my personal data gets leaked or sold, just revoke access to that particular token.

> Credit cards should work the same way: a unique authorization code specific to this vendor or this transaction and useless to any other actor.

Isn't that how chip-and-pin works?

Except that the merchant still gets to see my credit card numbers (both sides). But it's how paypal works. The merchant only get an authorization code from paypal, and this code is useless to a hacker.

I also use a Unique-per-service email address with Paypal, and I noticed that Paypal actually passes on that email address to the retailer when I pay with Paypal. I receive order confirmation emails (from those retailers) and quite a few unwanted newsletters to my unique paypal address now.

I have no idea what Paypal is trying to achieve by passing on this fairly personal piece of data. I always have to enter a separate email address with the retailer anyway, and because of this scheme, those two of course never match.

Paypal is great at that kind of unintentional disclosure. Six or eight years back, because I liked what she had to say, I used it to donate to someone who was then speaking under a pseudonym as a result of some fairly credible threats. Imagine my surprise when, in the process of transferring funds, Paypal showed me her full legal name and domicile address in the UI!

Of course I let her know about it, and I seem to recall her saying she'd addressed it successfully, but if she described how, I no longer remember. It quite astonished me that this was even a thing that could happen, though. One hopes it no longer does.

This sounds like she just set up her full name and address with paypal.

It's like her giving out her email address and it being firstname.lastname@gmail.com

I'm not sure the fault lies with the service.

It's been a while, so that might be true and I just don't remember, but it would be a surprising mistake to make for someone with a great deal of professional experience in operational security.

>>>I have no idea what Paypal is trying to achieve by passing on this fairly personal piece of data.

For years the Paypal API sucked, and even today their are many companies that do not have full integration with paypal, so this is a way to match payment records as for 99% of shoppers the email address for the order/account will match the paypal email address.

> the merchant still gets to see my credit card numbers (both sides)

With chip and pin? I don't think they do.

Chip and PIN cards can support tokenization, which prevents the merchant (or anyone who has hacked the merchant) from seeing the card number, but they are not required to do so. I haven't seen any numbers on what fraction of cards use tokenization.

Something to keep in mind is that when chip and PIN was developed to combat credit card fraud it was card present fraud that was the big problem, either by someone using the stolen card itself at a brick and mortar merchant or making a counterfeit cart by writing the stolen number onto a blank card and using that at a brick and mortar merchant. Card not present fraud, where the number is used but not a card such as at an online merchant or a mail order merchant or telephone order merchant, was much less common.

Chip and pin made card present fraud much harder because it was much harder to obtain blank chip cards and the equipment to write a stolen number to them, and it made using an actual stolen card harder because of the PIN.

In the UK the numbers are printed on the receipt - part obfuscated on the customers copy, fully shown on retailer copy. So whilst the retailer may not touch the card they still get everything except the magic 3 digits.

Where I work you need the 3 digit security code and some address numbers (which you can make up) to properly process a transaction without the card.

Yes that's what I said - they don't see both sets of numbers.

Chip and pin is not for online transactions, but in-store transactions. The merchant can see your credit card and would often manipulate it themselves.

My LogMeIn unique address gets tons of spam - their response was that I must have given it away elsewhere. I no longer use LogMeIn.

Same here. I have (at the last count) over 200 website/service specific email aliases. I very rarely use an alias for more than one service. However when I do start getting spam on that alias, and I contact the website concerned they always state it's my fault. My response? If I can, I stop using that website or service.

My dropbox alias email started getting loads of spam about 2 years ago, I immediately junked that account, and set-up a new dropbox account (friends insist on sharing stuff over it...) - my old spammy dropbox alias is in the Dropbox leaked dump, my new current one isn't, which proves that this dump of credentials is from at least before 2015.

Is it necessarily service's fault? Could the e-mail address have been intercepted when some confirmation e-mail was being delivered? Not likely, I agree, but still...

    > Unique-per-service email addresses work pretty well 
and they're so easy with Gmail - anything following a '+' character after your username (or alias, if using your own/company domain) will go to the same box, but keep the distinct address.

Unfortunately, depressingly many sites validate email fields, and get it wrong - thinking '+' is not allowed.

IMO it's not even worth trying to get an email regex (or other validation) right - you're probably going to send out an activation email anyway!

Except it's really obvious, and spammers can just remove the "+asd" section.

Other services also let you use the alias as a subdomain: example@alias.gmail.com. Wish Gmail added that feature. Do they have any place I can sent a feature request?

Another feature of Gmail is you can place dots anywhere in your email and it will still reach you: ex.am.ple@gmail.com. I haven't seen services that reject that so it is what I use when I can't use a +.

I host my email with FastMail who allow the use of subdomains. This is a great feature, and I use it frequently.

HOWEVER, you should only do so after careful consideration. This will restrict moving your email hosting to the limited number of providers who provide provide this type of service, or hosting your own server.

Alternatively, you could go and reset your email address with all of the services that you gave a subdomain email.

For myself, I have been using FastMail for years and feel confident that I will continue to use their services. In the event that I needed to move from FastMail, I know that could self host if forced to.

I'm pretty sure they do know a `+` is allowed...

I've had sites reject an email containing +.

The trouble is that no one actually implements the email standard from the IETF RFC documents. In fact, some people[0] even actively discourage doing so, despite there being little in the way of good reason to not. The argument essentially goes "well, users aren't going to be likely to use those characters, unless they're doing something bad, and they make it difficult to insert the email into the database." I feel like that's a kind of laziness - we can fairly effectively remove that risk, and there are well tested tools to do so. But I do suspect that forbidding '+' is explicitly to avoid people using tagged emails. To be honest, the inconsistency in services allowing me to use '+' has caused me to just create a separate email for services that I don't have high trust for. Now no one gets my personal email, and I only check that one if I'm expecting something important.

[0] http://girders.org/blog/2013/01/31/dont-rfc-validate-email-a...

I mean, there are good reasons laid out in that document. "By RFC, email addresses are unique by mixed-case. Most (99.9+%) email systems do not treat email addresses as such."

Think of the average user. Sometimes they're going to capitalize the first letter when putting in their email, and sometimes they aren't. You don't want to make it unusually difficult for them to log in.

You -should- treat email the way that vast majority of hosted services do. "Foo Bar"@gmail.com is not allowed. Covering the million edge cases seems to not be worth the trouble, especially when it might cause difficulty for the average user

> Think of the average user. Sometimes they're going to capitalize the first letter when putting in their email, and sometimes they aren't. You don't want to make it unusually difficult for them to log in.

With smartphone keyboards and the capitalization of the first letter of the first word in form input fields by default, this is a very common occurrence. If case was considered for uniqueness of email addresses, at best, people would be extremely annoyed. At worst, there would be a tremendous amount of leakage of sensitive information to random people (due to human errors in entering case sensitive addresses), chaos due to incorrectly delivered emails and fatigue in receiving mails intended for thousands of other people. In an alternate universe where this is true, email would never have been a killer application, only a quickly killed and abandoned one. :)

Email RFC is weird. Did you know email addresses are supposed to be case sensitive? Like bob@ and Bob@ are two different addresses? Some services treat them this way, most don't. That intersection (oauth2 for example from Google can return Bob.Smith@domain.com if Bob has a GA4W account, which causes trouble when the oauth handler inconsistently lower-casifies input.

Really? By my reading RFC-5321 & RFC-5322 leaves interpretation of the local-part up to the software running on the host where the mail is delivered, but since that interpretation is up to those servers, intermediate servers must treat them as case sensitive and not make modifications to the local-part.

That's my interpretation, as well. The standard is for carriers, not mailboxes. As a carrier, (or someone sending an email) you should respect case, as well as respect all of the special characters, because the server is allowed full decision power over whether those things are meaningfully used.

So? What's your point?

I've encountered a number of sites that don't permit + in emails. I've also encountered a bunch that don't permit my hyphenated last name.

unique-per-service email addresses sound indeed interesting. How did you set it up?

I am a google apps customer and already have a few 20 aliases in there but having to go through their UI every time I sign up seems very tiresome. Can I create a wildcard email in the terms of service-*@bar.com being a alias of email foo@bar.com?

Do you know of a non-selfhosted provider that is able to do that?

/EDIT: Looks like fastmail, a service many on HN recommended is able to do something similar [0], though if one email gets added into a spam list, it seems to be not possible to remove one particular one.

/EDIT2: Fastmail just confirmed to be on Twitter that it is possible to set individual emails to rejected. Though this requires effectively creating a new alias and setting it to bounce which falls under the account limitations [1], so 600 for a single person account.

[0]: https://www.fastmail.com/help/receive/alias-catchall.html

[1]: https://www.fastmail.com/help/account/limits.html

My email is handled by Google Apps for Business, and I just use e.g. dropbox@hemsley.cc or facebook@hemsley.cc - and have everything come to my real mailbox. Nothing to set up when I want to sign up for a new site. LastPass stores the different email addresses.

This works better than something+realaddress@gmail.com because many sites fail to handle/allow that 'format'.

I do this too. You get more spam with a catchall address, but Google get most of it. And there is no setup time lost with a new service - just use newservicename@yourdomain.com when signing up and you're away.

For gmail, if you have someone@gmail.com, you can just append +anything to your address like this: someone+anything@gmail.com. It will still end up in your mailbox without having to set up anything. See https://gmail.googleblog.com/2008/03/2-hidden-ways-to-get-mo...

I would assume that google apps version of gmail offers something similar.

This feature is called sub-addressing, but it is also known as plus addressing or tagged addressing.

I also use it but some services do not allow the plus sign in their registration form. Very frustrating.

Rejecting addresses with a plus is to me a strong incompetence clue, so unless somehow unavoidable between two choices I chose the one allowing a '+'.

Sometime I even fire a mail explaining people rejecting '+' how and why they lost my business...

I feel the same way. (=

Just tested this with my google apps account and it works there, too.

Also, iCloud allow this.

I used to use https://spamgourmet.com and was quite happy. You can create email addresses on the fly without doing anything in their UI: alias.number.account@spam gourmet.com. Alias is the per-site value, number is the count of emails you want to allow through before automatically routing the rest to /dev/null. I seem to recall an option to remove the numerical limit, too - once you trust the place you gave your address to.

Same here. It's free, it's incredibly easy to create new addresses, and so far (on the order of a decade) it's been trouble free for me. If you start getting spam any an address you just log in to spamgourmet, switch off the address and you're done. No send-this-plus-address filters to set up at your mail host, no subdomain tricks to fuss over, no need to create spam aliases on your Fastmail account. The only feature that I wish it had is the ability to view a log of where the spam was coming from for each address.

With Google Mail (and Apps) anything after a + in the first part of the address is ignored, so foo+dropbox@gmail.com would be routed to foo@gmail.com. That's the easiest way to do it that I know of. No need for managing separate aliases.

Whilst great info, unfortunately most of the sites that one would actually try to use this on don't accept addresses containing a "+" as valid.

Another Google Mail trick is to use periods. Not as useful as the +, but for those sites that don't accept +, one can usually add in a few extra periods to place sites into buckets (multiple adjacent periods don't work).


Unfortunately vendor sites such as apple.com don't realize xy@g and x.y@g are equivalent and will let people register both. If you accidentally click approve on the confirmation email then good luck getting Apple to remove the second account. Which is how my wife gets tons of email from Apple about a stranger's iTunes purchases along with other random items.

If you control the email address that the stranger registered to their Apple account, you could initiate a password reset, change the password, then login and change the email address to something that's not yours.

You probably just locked the stranger out of accessing their account though, so you probably shouldn't do this, unless said stranger is signing up for all kinds of services using your email address, in which case maybe they deserve it. :p

Even if they did accept it, haven't spammers figured out the pattern by now?

I don't think spammers look at individual email addresses. They're interested in 50 million emails, not you. I suspect the number of people using subaddressing is too small to notice. If it became popular enough that even computer illiterate people began using it, that's when it would be noticed.

A lot of website purposely remove the part after the plus to avoid multiple sign ups with the same email, but different label.

Plus you can't completely shut down a label. You could route it into the trash but it will still end up in your email account.

In Gmail and Apps you can add a +suffix, e.g. dvcrn+hn1@gmail.com will send you mail, assuming your main address is dvcrn@gmail.com.

Gmail also ignores full stops, so you could also use d.v.crn@gmail or dvc.rn@gmail etc.

All google email addresses will accept


This also works on google apps hosted email domains. You can then use that as part of a filter if you start getting spam to it.

I do the same, but some companies don't seem to be interested. I've had two different emails linked to a magazine's website and had spam to both.

When I've contacted them about it, they've been absolutely adamant that the spammer must have (twice) guessed the exact email address that I've had there.

I've had the same response. When I ask how come the spammer managed to successfully guess exactly the particular unique email address (including unique hashes appended to the service name as part of the username side of the address) on the first and only attempt (verified by looking at mail server logs), they just shrug.

You should report them to their country's data protection body. They are either maliciously selling your data against your explicit wishes or they've been hacked and are ignoring it.

I use spamgourmet.com for the unique-email-per-service..

Sadly, it doesn't support 2FA.

Would be cool to have a service do this automatically and test which services leak email addresses and which don't.

Yes but at the time, there was only evidence of password reuse leading to some comprised email lists... Not that password hashes themselves had been stolen. Sigh.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact