Dropbox Urges Users To Change Old Passwords - InformationWeek
IoT
IoT
DevOps // Project Management
News
8/29/2016
09:06 AM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Dropbox Urges Users To Change Old Passwords

Data from a 2012 breach has resurfaced, leading to fears that the information could be used to compromise accounts. IT managers using a new Dropbox feature don't need to worry, but they still have to guard against employees' bad password hygiene.

5 Traits Effective IT Leaders Need
5 Traits Effective IT Leaders Need
(Click image for larger view and slideshow.)

Among the half billion Dropbox users, those who have not changed their passwords since mid-2012 may wish to come up with another sequence of impossible-to-remember alphanumeric characters to authenticate themselves.

Dropbox on Thursday sent out a note advising those with passwords that have gone unchanged for at least four years to revitalize their secret sequences when next they sign in. "This is purely a preventative measure, and we're sorry for the inconvenience," the company said in its missive to customers.

IT managers using the Dropbox Business Admin Console won't be inconvenienced much at all. There's an option to reset everyone's password. But for those overseeing employees who use Dropbox on a personal basis, there's a chance that bad personal password hygiene could rub off on corporate data.

On its website, Dropbox explains that its security team became aware of "an old set of Dropbox user credentials (email addresses plus hashed and salted passwords)" that may have been obtained following a security incident reported in 2012. While the company's threat monitoring does not show any effort to exploit this data, Dropbox nonetheless is advising people to change their passwords out of an abundance of caution.

Changing passwords on a regular basis is sometimes advocated by security professionals, but not always. The Communications-Electronics Security Group (CESG), the UK government's information security arm of intelligence service GCHQ and its national technical authority for information assurance, recommends against forced password changes through password expiration.

(Image: HYWARDS/iStockphoto)

(Image: HYWARDS/iStockphoto)

But when there's a breach, it's necessary to pick new passwords. It's up to IT managers to ensure that the new passwords are sufficiently strong.

Nimrod Vax, cofounder and head of product at BigID, an enterprise data privacy startup, in a phone interview said password problems are unavoidable. "The problem of weak passwords and those password incidents are as old as IT," he said. "It's just human nature. Everyone knows what the problem is and how to solve it. It's like knowing you shouldn't drink and drive, but still people do it."

[See How To Make Passwords Obsolete.]

Vax acknowledges that it's hard to keep a different password for every service and device, and that changing those passwords makes remembering them even harder. IT managers, he said, can encourage people to reset their passwords, to use different passwords, and to use keyword phrases that can be remembered. "But if you have a large organization, you will have some people who just can't do it," he said.

The solutions are well known, said Vax: two-factor authentication and password management software. But IT managers have to deal with the reality of people using online services outside of enterprise oversight. Because people often use the same passwords both personally and professionally, "IT managers need to encourage the use of password solutions that span personal and enterprise space," he said.

In situations where employees resist using enterprise tools to handle personal passwords, managers should encourage the use of consumer-oriented password managers, said Vax.

"As an IT manager, you can't really separate the personal life of employees from their professional life," said Vax.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 3   >   >>
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/31/2016 | 9:38:01 PM
Re: Time
@Joe I'm waiting to read all the headlines for even more breaches resulting from reused information. I wonder how many folks are ignoring the warning message from Dropbox and continuing to reuse that password on other accounts. 
Michelle
50%
50%
Michelle,
User Rank: Ninja
8/31/2016 | 9:33:48 PM
Re: Time
@Susan it's unfortunate you remembered your long unused account after the message they sent. I'm sure there have been many others who had a similar experience.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 5:32:13 PM
Re: Time
@Susan   lol  That would be inventive and it might work.  The most obvious is sometimes the best means of hiding.
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 5:30:35 PM
Re: Time

@Joe  Good point.   Though it is surprising to hear security experts recommend this now but I guess if you are really making unique passwords than you really do need to write them down.

 

I have used Password Vaults for this in connection with my work, but personally I have not used this type of service.  if it is free, I would use it but I don't need another bill if it comes down to it.

Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 5:26:30 PM
Re: Time

Hehe Susan,   Way to go.   I am sure you are not alone.  I am sure I have a dormant account out there that I should be checking too.  : ) 

Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 3:05:40 PM
Re: Time
You made me laugh with that, Joe. I wonder if someone ever had their passwords on their computer screen. A screensaver with all your passwords should look nice. :D -Susan
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2016 | 2:50:49 PM
Re: Time
This is why many security experts recommend writing passwords down now.  Not writing down "password1", of course, but having a much more random, much longer password with some real entropy in there, and writen the password down in a truly safe place (i.e., not in or on your desk or on your computer screen).

In this way, it's very easy to keep your passwords *at least* as safe as your wallet.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2016 | 2:47:59 PM
Re: Time
Long-dormant accounts can be an especial security problem indeed -- particularly where the user has forgotten that those acccounts existed to begin with, and ESPECIALLY where the user reuses and recycles passwords.
Susan Fourtané
50%
50%
Susan Fourtané,
User Rank: Author
8/31/2016 | 2:24:44 PM
Re: Time
Hehe, Technorati. :) Actually, not yet. I'll do it now before I forget again. -Susan
Technocrati
50%
50%
Technocrati,
User Rank: Ninja
8/31/2016 | 12:47:32 PM
Re: Time
Susan,  Well I hope you have changed your password....    : ) 
Page 1 / 3   >   >>
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll