Macworld Forums: Dropbox blames employee account breach for spam attack - Macworld Forums

Post your comments for Dropbox blames employee account breach for spam attack here

I am thankful that Dropbox owned up to the issue and was able to track down the problem. I am also very excited to hear about the new security features that are going to come out of this. It is about time that Dropbox has started ramping up the security on their service. Now if only we can get private encryption keys.

"Users may also be prompted to change their password if it has not been changed in a long time."

How does that improve safety? It just makes it annoying for us to keep remembering new passwords, and annoyed people end up ignoring it.

veggiedude, on 01 August 2012 - 09:43 AM, said:

I agree. This makes me wonder if Dropbox really has any idea on how to secure a system. It smacks of the silly password policies you find in enterprises. My favorite was this one:

https://twicprogram....swordPolicy.jsp

As far as I can tell, this is not a joke.

Minimum password length is eight characters.
Passwords must contain at least one of each of the following: one alphabetic uppercase, one alphabetic lowercase, one numeric, and one special character.
Passwords shall not contain any two identical consecutive characters (example: 22apples, 14588904).
Passwords may contain no more than two identical consecutive characters in any position from the previous password.
Passwords shall not contain any dictionary word.
Passwords shall not contain any proper noun or the name of any person, pet, child, or fictional character.
Passwords shall not contain any employee serial number, Social Security number, birth date, phone number, or any information that could be readily guessed about the creator of the password.
Passwords shall not contain any simple pattern of letters or numbers, such as "qwerty" or "xyz123".
Passwords shall not be any word, noun, or name spelled backwards or appended with a single digit or with a two-digit "year" string, such as 98xyz123.
Pass phrases, if used in addition to or instead of passwords, should follow these same guidelines.
Passwords shall not be the same as the User ID.
Password length will be selected to provide a level of protection commensurate to the value or sensitivity of the resources or data it protects, but not less than eight characters.

Was it compromised because the password was guessed, or because the employee was phished or stolen?

Increased password requirements will not help. Two factor authentication may work, but I don't want to give them my cell number. Another breach and some random hacker will now have access to my account, and my phone number. No thanks.

Regardless, I don't care as much about my email address as the potential for them to have access to my data. I don't put anything unencrypted on DropBox because their employees (or someone posing as them) can access the data. They need to implement encryption that they don't have the ability to decrypt themselves.

veggiedude, on 01 August 2012 - 09:43 AM, said:

That's true. In many offices, where the company insists on changing passwords every month or so, it becomes so hard to remember passwords that employees use the simplest, most memorable - and therefore guessable, passwords.

Why does a Dropbox emloyee have a document that lists users' e-mail accounts? That's the question.