Dropbox Urges Users To Change Old Passwords

Data from a 2012 breach has resurfaced, leading to fears that the information could be used to compromise accounts. IT managers using a new Dropbox feature don't need to worry, but they still have to guard against employees' bad password hygiene.

Thomas Claburn, Editor at Large, Enterprise Mobility

August 29, 2016

3 Min Read
<p style="text-align:left">(Image: HYWARDS/iStockphoto)</p>

5 Traits Effective IT Leaders Need

5 Traits Effective IT Leaders Need

5 Traits Effective IT Leaders Need (Click image for larger view and slideshow.)

Among the half billion Dropbox users, those who have not changed their passwords since mid-2012 may wish to come up with another sequence of impossible-to-remember alphanumeric characters to authenticate themselves.

Dropbox on Thursday sent out a note advising those with passwords that have gone unchanged for at least four years to revitalize their secret sequences when next they sign in. "This is purely a preventative measure, and we're sorry for the inconvenience," the company said in its missive to customers.

IT managers using the Dropbox Business Admin Console won't be inconvenienced much at all. There's an option to reset everyone's password. But for those overseeing employees who use Dropbox on a personal basis, there's a chance that bad personal password hygiene could rub off on corporate data.

On its website, Dropbox explains that its security team became aware of "an old set of Dropbox user credentials (email addresses plus hashed and salted passwords)" that may have been obtained following a security incident reported in 2012. While the company's threat monitoring does not show any effort to exploit this data, Dropbox nonetheless is advising people to change their passwords out of an abundance of caution.

Changing passwords on a regular basis is sometimes advocated by security professionals, but not always. The Communications-Electronics Security Group (CESG), the UK government's information security arm of intelligence service GCHQ and its national technical authority for information assurance, recommends against forced password changes through password expiration.

But when there's a breach, it's necessary to pick new passwords. It's up to IT managers to ensure that the new passwords are sufficiently strong.

Nimrod Vax, cofounder and head of product at BigID, an enterprise data privacy startup, in a phone interview said password problems are unavoidable. "The problem of weak passwords and those password incidents are as old as IT," he said. "It's just human nature. Everyone knows what the problem is and how to solve it. It's like knowing you shouldn't drink and drive, but still people do it."

[See How To Make Passwords Obsolete.]

Vax acknowledges that it's hard to keep a different password for every service and device, and that changing those passwords makes remembering them even harder. IT managers, he said, can encourage people to reset their passwords, to use different passwords, and to use keyword phrases that can be remembered. "But if you have a large organization, you will have some people who just can't do it," he said.

The solutions are well known, said Vax: two-factor authentication and password management software. But IT managers have to deal with the reality of people using online services outside of enterprise oversight. Because people often use the same passwords both personally and professionally, "IT managers need to encourage the use of password solutions that span personal and enterprise space," he said.

In situations where employees resist using enterprise tools to handle personal passwords, managers should encourage the use of consumer-oriented password managers, said Vax.

"As an IT manager, you can't really separate the personal life of employees from their professional life," said Vax.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights