CIO Matters

Dropbox hacked! Safe passwords stop hackers in their tracks

Wendy Schuchart, Site Editor

It's truly ironic: As we put site restrictions in place to stop hackers, we demand secure password management, including passwords that are increasingly more difficult to remember. Ever since the creation of the first password, we've been instructed never to write them down, but our brains can only hold so many logins. So, what's the typical user to do? Memorize one or two so-called "safe passwords" and keep using them, thinking we've done our part to stop hackers in their tracks.

    Requires Free Membership to View

Wendy Schuchart, Site Editor

A-ha, the trick's on us, because our supposedly "safe" passwords are only as safe as the weakest security point in the dozens of websites and services we use. Right on the heels of the the LinkedIn hack, we've witnessed both Yahoo and Dropbox hacked -- and now those "safe passwords" are looking pretty iffy.

You almost have to feel sorry for Dropbox. The free cloud storage company has been plagued by security problems in the past, and this week it revealed it had been hacked yet again. Not only were "a small number" of Dropbox user accounts hacked, but an employee account was also breached. That's when the proverbial crap hit the fan -- since the said employee's Dropbox account had a project file that contained "user email addresses." Dropbox has refrained from saying how many email addresses were harvested -- so somewhere between two and, oh, all of the Dropbox email addresses in the world.

How to change your Dropbox password:

  1. Log into your Dropbox account through http://www.dropbox.com.
  2. On the top of the page, click your user name.
  3. Select the security tab in the account manager.
  4. In the Account sign-in section on the bottom left, click "Change Password."
  5. Use one of the safe passwords that follow best password practices, including a mixture of symbols, numbers and upper- and lowercase letters.

As many CIOs know, this hacker tactic is a pretty common one. They harvest user IDs and passwords from one site and daisy chain onto other sites, using automated testing programs that try the email and password combinations until they hit the jackpot.

Before you feel too bad for Dropbox, remember it had a major security hole in June 2011, when the service left all Dropbox accounts open for about four hours, leaving many users to pair TrueCrypt with the service. Then, this past April, a security hole in Dropbox's iOS smartphone app revealed the company stored its users' login credentials in unencrypted text files. Did you just do a facepalm? Yeah, me too. So much for secure password management.

Are you thinking about your users right now? About how they have that cringe-worthy but very human instinct to reuse the same passwords over and over? Are you wondering if their Yahoo or Dropbox passwords aren't maybe the same password they're using to access your system? You should be.

How to determine whether your Dropbox account was accessed by another party:

  1. Log into your Dropbox account through http://www.dropbox.com.
  2. On the top of the page, click your user name.
  3. Select the security tab in the account manager.
  4. Check the "My devices" section and the "Web sessions" areas. Your own Web session should be the only one present, unless you are intentionally logged in through multiple browsers.

Dropbox is an example of the kind of IT consumerization CIOs hate: Users opening the firewall system on the down-low -- and sometimes in direct opposition to corporate policies. I'd be willing to bet at least one employee at any given midmarket organization has a Dropbox account -- whether it's sanctioned or not, whether they are accessing it on their work computers or not. It's a real-life scenario of how rogue IT can build from the very best of intentions.

And let's be clear about one thing -- now we've seen Yahoo and Dropbox hacked; before that, it was LinkedIn. Next month, it will be another service. And the month after that. It's not a matter of when, but a matter of which website and which of your passwords will be compromised next month.

Smart CIOs urge their users to do their part in stopping hackers by practicing secure password management, including, but not limited to, unique passwords for each and every login. It's not reasonable to expect most human brains to memorize the hundreds of logins that we have today, though. They won't do it. They'll do the easiest, fastest thing. Understand that about your users, and give them a secure password management tool to save their own private data, such as a password storage system like 1Password or LastPass. Most users really want to do whatever is in their best interest -- as long as it's not too much effort. In the end, we're only human; a fact the people who hacked Dropbox and Yahoo know all too well.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

Be honest: Do you reuse your own passwords?

. Wendy Schuchart, Site Editor
What's your opinion?
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest