Dropbox should absolutely be held to the flame for trying to downplay the severity of this. Their communication says 'This is purely a preventative measure', but if you had/have reused this password on any other sites (let's face it a huge proportion of non tech savvy people do this) then your entire online presence may be exposed.
The severity stems from the unfortunate fact that a password leak retroactively, and silently, destroys your security across all sites that use the same or a similar password. Even if you started using the longest, randomised, two-factor-authenticated password system last year, all those forgotten or seemingly unimportant accounts are suddenly exposed.
Even when the exposed sites have minimal information or impact, minor information in aggregate adds up to a lot of danger for escalation and social engineering.
Now consider that there are huge swaths of people with the same password that they've use for email, banking, medicare, and everything else.
A proper response from Dropbox would be to explicitly and loudly inform every leaked email address (not just their current users) that they need to immediately change every password across any and all sites that might use the same leaked credentials.
Furthermore, Dropbox should set up a secure site with a unique link per email address that allows a user to key-in and check their memory against the exposed hash. I know that I have changed my password for Dropbox at least twice since 2012, but in 2012 I might have used an insecure password. Allowing me to figure it out before a nefarious party would allow me to better judge the potential personal impact.
That's true if your actual password is leaked, but as described in this post, it is very unlikely that actual passwords could be retrieved. Still a non-zero risk, but I could see a case that the severity of that risk is low.
The significantly greater issue imo is the leaking of email addresses and ensuing spam.
> That's true if your actual password is leaked, but as described in this post, it is very unlikely that actual passwords could be retrieved.
If I'm interpreting the hashcat screenshot correctly (I'm probably not, and even if I am it's probably skewed by init overhead or by not counting the final result) it looks like passwords can be attacked at ~6ms/dictionary attempt against the bcrypt passwords? While HIBP didn't get their hands on salts for the SHA1s, that doesn't mean they weren't breached as well.
I take it as a given that all high value dropbox accounts with a weak password in this breach will be pwnt.
Then again, it took until last week for anyone to try and grab my Minecraft account (successful email change, but successful resecure.) Given that HIBP knew about 1 of the 4 breaches I'm aware of for similarly weak passwords, I'm surprised it took this long... (I've since finally gotten off my ass and better secured all the legacy old terribly passworded accounts I can think of / were listed in my password database...)
I think the risk is a lot higher than described by this post or dropbox. There are nearly 70 million credentials, and email addresses actually contain a fair amount of heuristic information for an attacker. For example just filter down to addresses from hotmail or yahoo, and suddenly you have a list of credentials that are far more likely to be susceptible to a dictionary attack.
As far as what we know about these cryptosystems today, the passwords are no more accessible via this breach than they are when you send them over TLS. How is that severe at all?
The first time I saw the email I believed that Dropbox was taking it as a preventative measure because they thought they were breached -- not that they were breached. This information as hidden behind the link to more information in the email itself.
Considering the consequences of password breaches, it's decidedly impractical. Password managers make it very easy to have unique passwords for all websites.
How many people were using password managers in 2012? The impact is huge because leaks are silently retroactive. Unless you have captured and changed every single possible account you ever created with the leaked 2012 credentials (before or after), you might still have a lot of exposure.
This scares the crap out of me. I have to remember this one, super long and complex password for my password manager. If I ever accidentally paste it somewhere else, type it in somewhere or somehow it's leaked from the password manager then I am completely screwed. This one, tiny thing can completely turn my life upside down. For sites that require security questions those are easy to game so the only way to be secure is making up answers. So I wouldn't even be able to reset a large amount of very important passwords!
I wish we had a better alternative to passwords. Something that's actually good, solid, can't lose or forget. I get the feeling we won't have that until we can start implanting chips in ourselves.
It's really not so bad. I was reluctant to use 1password until being forced to by work, and discovered how wonderful having a password manager is.
First off, your passphrase should only be used for the password manager itself. So if you accidentally paste it on twitter, you just change your passphrase.
Secondly, you're way more easily fooled than a password manager. I don't know my passwords (they're generated), so to phish me you have to convince 1password as well. That means e.g the google open redirect bug on HN yesterday can't trick me with a fake password page on a different domain.
Third, it makes your passwords way easier to use on mobile. Most of the managers support whatever biometric integration your phone has nowadays, so rather than trying to type your 24 character alphanumeric symbol crap (or worse, a crappy password because you didn't want to make a good one on mobile) by hand you can just paste it in.
Lastly, it encourages you to actually use separate passwords for all your accounts. And when passwords get leaked, your manager can tell you which sites need new passwords.
In conclusion, password managers improve your internet security and experience immeasurably. Go buy 1password!
Make sure you turn on 2FA on your password manager. That should allay most of those fears. (Of course you would still change the password if it was leaked somehow.)
I use a pass phrase which is much easier to remember. I know the source material for my pass phrase so if I need to reconstruct my master password I go to the source material and convert it into the password by encoding the first letters, punctuation symbols and letters from the passphrase into the password.
I need to get into the habit of exporting my password list to plaintext csv and storing it in a safe or safe deposit box but I haven't disciplined myself for that yet.
I am worried about the ability for the 1Password database to be hacked if someone were able to get their hands on that.
> I am worried about the ability for the 1Password database to be hacked if someone were able to get their hands on that.
This is one among several reasons I don't go in for any "cloud" based syncing of password managers. I use keypass and sync the file with syncthing on LAN only mode.
How about using the password manager to store security question answers too? It's mildly inconvenient because each site seems to require at least three, but then you wouldn't risk forgetting them and you could use random generated strings instead of having to make them up.
> How about using the password manager to store security question answers too?
That was my point: I use my password manager to store those security questions and answers but if someone got ahold of my password manager account I would be screwed because many sites require the answers to those questions to reset a password.
Not really. If someone gets into someone else's password manager they can easily get a copy of all usernames and passwords and, if they're quick enough, they can start resetting them / closing them / committing fraud.
So yeah change the password and delete previous versions is a good first step but everything else has already leaked to who knows where.
I've been pretty happy not even knowing that. (YubiKey OpenPGP smart card + pass) It feels natural for my password manager to be just another thing I have to unlock with a physical key. The security concerns in practice are similar to that of my house keys, so there's pleasantly little mental overhead.
my approach to this consists of 4 security "levels":
1. I have one "throw away" password for services I don't give a fuck about
2. 2 passwords for ordinary services (breach cannot cause any serious harm and I can reset the password over my e-mail)
3. 2 other passwords (pretty easy to memorise but almost impossible to guess) that I use for my school mail, IDE, other mail accounts
4. a unique password coupled with two factor auth I only use for my primary gmail - as long as I have ownership of that, I can restore access to basically any other account I use.
ad. 1: I find it a pretty good idea to also have a secondary junk mail for signing up to these services - just in case they give my e-mail to someone for spamming or get breached.
Thad great that you use a password manager but the majority of Internet users probably don't. What's your point? Either way you look at it if Dropbox was breeches then it's the responsible thing for them to do, to disclose.
You probably shouldn't keep/use any personal passwords on your work computer anyway, but Keypass offers a portable executable that does not need to be installed.
Two of the most compelling reasons are cross-browser support and a better cross-device experience. For example, viewing/editing Keychain password on an iPhone requires burrowing into the Settings app, whereas 1Password has an excellent app and extension.
Wouldn't multiple user profiles have their own extensions? If so, then just install the extension on that profile? IIRC 1Password was working on something related to that, so perhaps that has changed recently.
HTTP auth not working is a bit annoying, but it's not a massive deal when you can CMD+ALT+\ and copy-paste it. Same deal with non-browser based stuff.
Use an algorithmic password. Pick some easy to remember keyword, then work some of the letters of the website into the password so each site is unique. For example, your seed could be "horse", and your gmail password would be something like "hgomrasiel". I've been doing this for ten years and haven't forgotten a password yet. :)
I would like to do this, and I thought about using an algorithm that uses the domain name as the seed, however different sites have different password policies, and expiration times which would make this very difficult to manage in practice. I wish all sites support things like OpenID so I can have one central place to sign in with 3-factor authentication.
This comes up sometimes but I've found it to be less of an issue in practice than you might think. Occasionally I have to make an exception for my bank or gmail. If you do have to make a few variations at least it's only two or three passwords you have to remember instead of a different one for every login.
Second bit of data for that claim. I use dropbox because I can't be waffled to set up my own dropbox nor do I have the free time even if I did want to.
