20 comments

[ 4.1 ms ] story [ 70.1 ms ] thread
Link to referenced Reddit thread w/ confirmations: http://www.reddit.com/r/sysadmin/comments/2j5xkw/has_dropbox...

Also of note is that Dropbox does not force complex passwords: http://i.imgur.com/v4h0g8D.png

Nor do they likely salt (I hope they at least hash) their passwords.
(comment deleted)
Salted passwords are not susceptible to a rainbow table, even if the salt is known by the attacker.
Rainbow tables went out of style in the early 2000s. GPU password hacking resulting in them being somewhat less useful than they were in the 90s.
Or you know... a simple dictionary attack. Salts aren't magic fairy dust that stops weak passwords from being brute forced.
True. The real problem is if you use a hash that's not designed for protecting passwords and can be computed at a rate of millions/billions per second on commodity hardware - versus s-crypt & friends which should only allow for 10s-100s guesses per second on the same hardware.
Salt doesn't work that way... you're supposed to randomly generate salt for each hash and store it alongside the hash itself. (Authentications are done by hashing the password and salt together, and then comparing that to the stored hash.)

Saying "the salt was compromised" doesn't make sense, since there's no "one" salt, and it doesn't need to be "compromised", since it's stored in the clear along with each hash.

(comment deleted)
Since nobody has said it yet... don't salt or hash your passwords, and don't parrot the line "salt your hashes" because it's a massive oversimplification and the easy/naive way is wrong.

Hashes, cryptographic hashes included, are designed to be fast. Unfortunately, that means that they're also fast to brute force.

Use bcrypt[1] or a proper key derivation function[2] like PBKDF2[3]

[1] http://en.wikipedia.org/wiki/Bcrypt

[2] http://en.wikipedia.org/wiki/Key_derivation_function

[3] http://en.wikipedia.org/wiki/PBKDF2

Looks to me like a case of users using the same password for multiple services and one of those services (not likely dropbox) was storing passwords insecurely.
Attempted to change my password; tried using Safari's suggested random alphanumeric/hyphenated password; was rejected as invalid. :(
On my machine, Safari misinterpreted the password change form to be two "new password" fields, and didn't get that the first field was an "old password" field. So it auto-filled a new password for both fields, and it was rejected because the old password didn't match.

FYI, don't try and "fix" this by erasing the top password and filling your old one in... that will cause safari to forget that you're generating a new password, and it won't commit the new password to the keychain (and you're now locked out.)

Safari fares better on the password reset link though, which has two "new password" fields and that's it.

Perfect, thanks for being more observant than I was!
I'm still suffering from spam from the last mail address leak, and now this? Time to respect my data and move it elsewhere

EDIT: Dropbox say the leak is from another service that has been compromised. Does anyone know of a service that's been popular enough to store ~7'000'000 user credentials without instead using OAuth? If there is, how did Dropbox not notice that, and how did we ad the Internet community not complain about this service sooner? I assume 7 million accounts aren't immaterial to Dropbox total users.

Could be another big service that didn't have any connection to Dropbox. People re-use passwords a lot.

LinkedIn leaked 6.5 Million hashed but not salted passwords back in 2012, for example.

Dropbox has responded to Ars Technia (not sure if elsewhere) http://arstechnica.com/security/2014/10/7-million-dropbox-us...

The update from Dropbox:

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.