What Dropbox Taught us About Password Security
There is no such thing as a single perfect password.
In October of 2014, it was revealed that malicious hackers may have obtained a dump of approximately 7 million username/password combinations. According to this statement from Dropbox, their site itself wasn’t hacked, most of the passwords were out-of-date, and affected users have been directly notified. Regardless, it’s worth revisiting some four basic security principles that could make such increasingly common events into totally trivial non-issues.
Use a Different Password on Every Account. I briefly discussed this in my recent security overview, but this event serves as a perfect example. If you were an exploiter, why would you want access to somebody’s Dropbox account? The simple answer is that you really don’t. You want to see if those same credentials work on Gmail, Yahoo Mail, etc. After you have access to that, you want to quickly move to their bank account and other more sensitive things. Many folks may not secure their e-mail account as much as their bank account, but what happens when you click “Forgot My Password”? It generates an e-mail that lets them almost immediately access that bank account. Yahtzee!
Use Two-Factor Authentication. Many accounts now allow for some form of two-factor authentication. What are these factors and why do you want two of them? Simply put, those factors can include something you know, something you have, and something you are. Something you know is easy; it’s usually a pre-shared key; a password. Something you have is trickier; it can include an ID card, a special USB drive, or in Google’s case, your cell phone. Finally, something you are encompasses biometric data like fingerprints, voice prints, facial recognition, etc. Spoofing or bypassing just a single factor isn’t necessarily that hard, but two factors? Substantially harder. What this means it that even if your Dropbox and Gmail passwords were the same, the exploiter wouldn’t have access because a PIN was sent to your cell phone.
Use a Complex Non-Dictionary Password. Even if you are using different passwords on everything, it doesn’t necessarily help much if they are all really simple. Eagles1986! may seem pretty decent if you don’t reuse it, but it isn’t that hard for a good password cracker to figure out and gives great clues for what your other passwords are, even if they are different. It stands to reason that you might use eagles1986, eagles86, 3aGL3$1986, or any other permutation of the leaked password. If your leaked password looks like c8pAVjJJqMKgd%vC+ef2, you now look like a hardened target; you’re off of the exploiter’s low-hanging-fruit-list.
Exercise Caution When Using Unofficial Applications for Web Services.According to Dropbox, while their site itself wasn’t compromised, it was users’ input of their Dropbox credentials into other services/applications that access Dropbox that was to blame. The recent photo dump from Snapchat’s temporary photo-sharing service alleged that all of the photos were pulled from an unauthorized third-party Snapchat interface. Using alternative interfaces and bringing a service’s functionality to another piece of software can be fantastic (in fact, many of these services are developed with the option in mind), it means that you’re trusting a third party with your sensitive information. While you may feel comfortable with Dropbox or Snapchat’s security and their terms of service, that software that you just downloaded and linked to those accounts may not be quite as secure.
A good hacker (often dubbed awhite hat hacker) or security researcher finds a security exploit and uses it to inform the system administrator or company of the potential for exploitation, giving them an opportunity to patch the hole before releasing it to the population at large. Dirtbags like these may be talented (black hat) hackers, but they are exploiters and criminals. While breaches like these are increasingly commonplace, it’s never been easier to mitigate the potential for damage with some careful consideration and following good security practices.