back to article If you haven't changed your Dropbox password for 4 years, do so now

Dropbox is forcing users to reset passwords that haven’t been changed since mid-2012, when LinkedIn suffered a mega-breach. An email sent to Dropbox users this morning informed them that the reset was solely a preventative measure, and not as a result of any new breach. Dropbox said that no accounts have been breached and the …

  1. Quentin North

    Spotify resets too

    So is spotify, email this morning.

    1. mdava

      Re: Spotify resets too

      And Opera Sync too (email this morning).

    2. David Pollard

      Re: Spotify resets too

      ... and 123-Reg. Two e-mails: the first saying they were going to force a password update by the 1st August, the second correcting this to the 1st September. After this deadline, passwords that haven't been updated and those that are insecure won't work any more.

  2. The Man Who Fell To Earth Silver badge
    Alert

    Sounds fishy to me

    Nothing to see, move along.

    I'm all for strong passwords, although in my experience forcing users to change passwords on a (short) regular basis is a two edged sword, in that too often, and they start putting passwords on post-it notes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sounds fishy to me

      I think this is more for that significant chunk of the population who re-use passwords across multiple services.

      1. Lee D Silver badge

        Re: Sounds fishy to me

        The current advice from various agencies (and there have been articles about it on here just lately) is:

        a) Pick a long password. Complexity is not on the same order of magnitude as length.

        (e.g. an 8-letter, lower-ASCII set password gives 128^8 possibilities. A ten-letter, alphabet only password give 52^10 possibilities.

        128^8 = 72057594037927936

        52^10 = 144555105949057024

        An 8-character, all-symbol password takes half the time to guess than a 10-character, only alphabetical letters password.)

        b) Don't force your users to change it too often. In fact, some places recommend NO forced changes unless you have reason to suspect the account is compromised.

        And if you have any sense:

        c) Pick several good passwords and use them according to purpose. Rather than an individual password per site, that you would need to write down or store in some software somewhere, choose levels of passwords:

        - Critical, secure, ultra-sensitive

        - Financial

        - Secret

        - Junk

        I use the above system, so my Register password is my "junk" password that will only let you into other "Junk" level accounts that I have, even if you tried. My services that I care about have another entirely different password. My services that could cost money (credit cards, bank accounts, etc.) have another entirely different level of password. And anything more important has yet another level of password.

        This way you have a handful of memorable passwords that never need to be written down, you know what password a service should be using based on what it does or stores for you ("I forgot my banking password, but it should be my 'finance' level one"), compromise of some lowly forum doesn't lead to compromise of your bank accounts, and if someone gets into your PayPal, they pretty much have access to your credit card etc. anyway so you want to go and change them all (obviously) but they won't "elevate" their access beyond the account that's compromised.

        1. AMBxx Silver badge
          FAIL

          Re: Sounds fishy to me

          I worked for a company that issued all passwords as 20 random characters. Users couldn't change. No normal person could remember them, so passwords were just copied from the original email.

          Marginally better than post-it, but only just...

          1. CAPS LOCK

            "passwords ... copied from the original email. Marginally better than post-it, but only just..."

            A password stored in an email residing in your inbox is potentially accessible to the whole internet, whereas a password on a post-it is accessible only to people who come into your office.

            1. Jeffrey Nonken

              Re: "passwords ... copied from the original email. Marginally better than post-it, but only just..."

              Exactly. Post-its are bad physical security but, unlike password lockers, cannot be hacked remotely.

              Though I suppose you could put your password locker on a separate, air-gapped system.

        2. StephenD

          Re: Sounds fishy to me

          But, cumulatively, my banks require me to have:

          telephone password

          Internet password

          Internet userid

          father's middle name

          favourite subject at school

          favourite holiday destination

          secure key password

          memorable address

          memorable date

          street grew up on

          sports personality

          favourite actor

          Verified by Visa password

          personal greeting

          memorable word

          memorable information

          online PIN

          mother's birthday

          city born in

          first boss's first name

          passphrase

          first pet

          spouse born

          make of first car

          memorable place

          memorable date

          memorable name

          telephone banking passnumber

          Internet banking passnumber

          rewards password

          mobile app passcode

          memorable singer

          secret question

          starting salary

          memorable image

          place of birth

          first school

          secondary school

          security number

          most memorable teacher

          first car

          Some of these could be subject to your rules, but in practice the only way to deal with them is unique answers, fictitious where appropriate, stored securely (preferably offline).

          1. Midnight

            Re: Sounds fishy to me

            That is an awful lot of passwords, but don't worry. You'll only need to know one of them to convince someone at the call centre that you should have access to all of your accounts.

            Security is job one.

        3. a_yank_lurker

          Re: Sounds fishy to me

          @Lee D - All my passwords are stored in the encrypted database of my password manager. I only remember one password - to the password manager. All my site credentials will have a different password for each site so if some gets my El Reg credentials they only have one site they log into.

        4. Barry Rueger

          Re: Sounds fishy to me

          I'm also a fan of Lee D's system - 99 times in a 100 I know the likely password from memory. Or the previous password for a security level, missed when I last did a global "change all passwords," sweep, a semi-annual practice.

          Barring that, I'm a heavy user of "Reset password" and will sometimes abandon a site if that's too cumbersome.

          For some reason user forums are a specific problem, which leads to multiple accounts of the Barry, Barry1, Barry2 variety.

        5. Fibbles

          Re: Sounds fishy to me

          Pick a reasonably long eBook and keep it on your phone. Pick a random line number, e.g. line 7 of every page. Every time you need a password pick a random page of the book and use line 7. Then instead of remembering a very long password just remember the page number.

          It's not a secure enough method for government work or anything like that but it'll do for most people's private email, forum accounts, etc.

  3. Robert E A Harvey

    done

    it asked me a few minutes after logging in, which was amusing. It reckoned I had not changed it since 2012, which is a bit rum because I only signed up this February....

  4. jms222

    I believe this https://xkcd.com/936/

    so all my passwords are "correct horse battery staple"

  5. Anonymous Coward
    Anonymous Coward

    And its taken 4 years

    For them to decide they should remind users about this? Checking on inactive and spoofed accounts more like

  6. Teiwaz

    Dropbox is mostly irrelevant.

    I signed up when Ubuntuone was cancelled, in the process of evaluating better services, currently trying out Mega (really nice webpage, well laid out and helpful). Only really use Cloud for non-critical file storage and device transfer.

  7. I Like Heckling Silver badge

    Sneaky Password Concealment

    I have a parent who was always forgetting passwords and pin numbers... and wanted to write them down... So I suggest that if she needed to write down a password/pin, conceal it in some way.

    So for a long time her pin number was written down as part of a phone number in amongst other phone numbers and simple passwords were written down as part of a sentence.

    As for writing down passwords at home, I see no problem with that if you live in a trusting environment. My late aunt used to keep all hers written down in a little book in her desk drawer along with walk throughs/guides to do things that I'd taught her on her computer... as an 80yr old who'd suffered a couple of strokes and had memory issues it allowed her to do many things still as her tech support (me) was 250 miles away and unable to remote in due to her being in the countryside on a barely 1Mb connection.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sneaky Password Concealment

      A friend of mine has mental problems. She knows passwords need to be non-obvious and secure, but normally forgets her password a few days after creating it, so she writes them down on pieces of paper which she loses wihtin a couple of weeks.

      The password reset mechanism usually depends on having the email address you had when you created the account - but since she loses passwords often, this includes email passwords. Recovering an email account requires you to have the phone you had when you created the account - but she looses phones frequently too. So she creates a new accounts frequently.

      Why do none of these dingbats have a way to contact them to retrieve the accounts?

      I suspect she, and others like her, account for 75% of all gmail and FB users, and they want to claim high user numbers.

  8. Robert Moore
    Happy

    Feeling smug

    I recently decided to change ISPs, and since I would be losing my old email address (Long since forwarded to gmail.) I decided to go through all the online services that I regularly use, update the email address, and while I was at it change all the passwords. Making them unique, and difficult to break/bruteforce.

    I also started using KeePass to keep them all sorted.

  9. I Like Heckling Silver badge

    Had the email from Dropbox this morning... But I normally change my password everytime I get a new phone... Because I only use dropbox for uploading pictures taken on my phones to it (along with drive) to view on my PC... and only change my phone every 3yrs... I can never remember my password after that long and have to reset it anyway.

    So since 2012 I'm on my 3rd phone and would have changed it at least twice since then.

  10. William 3 Bronze badge

    Hopeful.

    I have three very secure passwords.

    The rest, I couldn't care less about.

    They're all the same.

    I keep living in hope that someone will hack into them & lock me out.

    Incentive to actually get a life rather than delude myself my opinion on forums means jack shit.

    Alas, as much to your chagrin as it is to mine.

    It has yet to pass.

  11. Tom 7

    I've forgotten it and its staying forgotten.

    Experimenting with a Nextcloud, pizero and a hardrive round at a friends. Seems to work so far.

    Need to see if I can get two people cohosting with me (and me for them) and thats all sorted.

  12. aberglas

    Nobody tells people how to manage passwords

    Lots of stupid advice about adding %X99 to them to make them hard to remember. But never the basic thing.

    Use (a few) strong passwords on sites you care about.

    Use a weak password everywhere else.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like