Dropbox security breach, how to protect yourself better

Tim Gray
September 5, 2016
Backlit keyboard

Source: Wikimedia

So Dropbox got breached in 2012 and we all know about it now. Some of you may have noticed an email or some form of password reset request from dropbox to make sure that your account is secure, but this only helps if you had done the correct thing and used a different password on every site!
So since we all do that I thought now would be a great time to recap good password practices.

Good Password Practices

  • DO NOT USE THE SAME PASSWORD ON TWO SITES, EVER. JUST DONT DO IT. THIS IS NOT UP FOR DEBATE. There is nothing a hacker likes more than getting access to all the accounts you have ever made thanks to you using the same password on Gmail and Dropbox. Almost every account recovery system relies on your email being a secure location.
  • Passwords MUST be longer than 8 characters at a minimum, 12 is better and 45 is the best. This is generally not an issue as most places would enforce this at standard anyway.
  • http://www.passwordrandom.com/most-popular-passwords . If your password is on this list you are a bad person. Please retire to the hills to live out your day as a hermit.
  • Remember it is not a person breaking into your accounts, it’s a computer. Having an obvious password is not a safe practice, computers like trying the obvious. Same goes for rude words, computers don’t care if you use a swear word for your password it’s just another simple 4 letter password for it to guess.
  • Password mnemonics are not a bad way of creating long memorable passwords, but this will only work if the process for hacking passwords stay the same way as it does now. Password mnemonics are instead of using ‘password’ as your password you use ‘portugal-austria-seattle-sydney-wisconsin-oregon-russia-denver’ as your password (though don’t use this as it is now public knowledge). This is currently considered the second most secure way of coming up with passwords.
  • The most secure way of coming up with passwords at this point in time is to use 1password or a similar (KeePass is a good open source alternative). Almost all these tools have a password generation feature. Whack that bad boy up to 32+ digits and go nuts. Just make sure that the password you use to secure the password vault is 12 or more characters and a non-common password otherwise, you have just made the hacker’s job even easier.

2FA (Two-Factor Authentication)

  • This is a very good way of securing accounts, though annoying most of the time. It involves the system of something you know + something you have. The idea being that if someone gets the thing you know, they won’t have access to the thing you have.
  • We use iPhone or android apps to provide us with a 6 digit number that changes every 30 seconds. The good apps are Google Authenticator or Authy, install the app from the app store and follow the on-screen instructions.

Want to know if you are vulnerable from a similar attack on another service, https://haveibeenpwned.com/ is a reputable website that allows you to input your email and see all the places that email is found in publicly available database breaches. You can also subscribe and get a notification if you email is found in the future.

Nerd stuff below

About the breach (https://motherboard.vice.com/read/hackers-stole-over-60-million-dropbox-accounts):

  • Dropbox was breached in 2012 and there password database stolen with over 60 million hashed passwords in it.
  • This is the 6th highest number of accounts in a known breach ever.
  • Passwords are hashed + salted. This means that the password when created has something added to it by dropbox so that it is more random and harder to crack. We dont know the extent of the salting process so we are not sure if two people with the same password will have the same hash.
  • Hashes are cool it turns ‘password’ into 5f4dcc3b5aa765d61d8327deb882cf99 and there is no simple way of making that formula go backward. (No way at all really). Please note that hash is a md5 hash and is not secure for anything these days.
  • The fact that the passwords are hashed actually does not mean much when the hacker can have the database on their local machine. With modern GPU’s I can try 5301.7 million passwords per second, this why we use different passwords on different sites.

Stay safe out there people! The internet is a dark and scary place
Tim Gray – Coffee to Code

Tim works on a lot of things here at optimal and writes blogs on a wide range of topics.

Connect with Tim on LinkedIn or read his other blogs here.

Copyright © 2019 OptimalBI LTD.