Dropbox follows through on password resets

Dropbox follows through on password resets

Jeffrey Goldberg by Jeffrey Goldberg on

Dropbox follows through on password resets

Have you been asked to reset your password when you try to log into Dropbox.com? You aren’t alone, and this is all as expected. If you haven’t changed your Dropbox password in a while, you (like me) will be asked to change when you log into the website.

Back in July, Dropbox announced that they would roll out some security changes, including requiring password resets. You can read more about what led to that announcement in one of our countless articles on the dangers of using the same password for multiple sites and services. In that announcement, they listed four changes. Today we are seeing the implementation of the fourth:

In some cases, we may require you to change your password. (For example, if it’s commonly used or hasn’t been changed in a long time)

It seems like today is the day for this rollout to begin. I and a number of users were greeted with a page like this when logging into Dropbox’s website:

Dropbox follows through on password resets

When you click on the “Send Email” button, Dropbox will send an email to your account address with a link for resetting your password.

If, like me (though against my current, soon-to-probably-change advice), you have enabled Dropbox’s two-step verification system, you will also be prompted to for your six digit code. Once that is done, you will have successfully reset your password.

Is this legit?

When I heard of users being prompted for a password reset on Dropbox, my first thought was that this might be a phishing attempt. That is, a website pretending to be Dropbox might be trying to capture people’s passwords. When I went through the process, I double checked the authenticity of everything that I was seeing. Everything checked out.

Is this legit?

The first thing, of course, was to check I was connected using HTTPS and that there were no errors or warnings about that connection. HTTPS is not just about encrypting the communication between your web browser and the web server, it is about the web server proving that it is who it says it is. The quickest way to check this is to look for some kind of a lock in your browser’s location bar. If there is some error, it will be indicated there.

You can always click on the lock to get more details (which I did). But for most people, verifying the lock and that there is no error is sufficient. If you do want to know more about reading the details, one place to start would be in a post last summer about how this system can sometimes fail.

Dropbox email reset

After getting the email, I checked it for signs of obvious forgery. But because I would like to get this article finished this month, I won’t describe how I went about that (I was an email administrator in the previous century). I will just say that everything checked out to the extent that it is possible to check.

Is this legit?

I then followed the link in the email and once again made sure that my Safari really was talking to the genuine Dropbox. That is, I checked to see that I had an HTTPS connection and that no errors were indicated.

After that I rolled up a new password and entered that. Of course I made sure that my new Dropbox password was saved in 1Password. Finally, I was prompted for my six digit verification code as part of Dropbox’s optional two-step verification.

Is this legit?

Everything in this process checked out as authentic. I don’t expect that everyone check things as thoroughly as I did, but it is imported to get into the habit of checking that HTTPS websites are who they say they are. The details are different for different browsers, but they all try to warn you if there is a problem with the trustworthiness of a website’s certificate.

Changing passwords for another day

We 1Password users have strong and unique passwords for the sites that we log into. And so the security benefits of password changes are minimal. But Dropbox has no way to identify people who never use the same password on multiple sites, so we will be subject to the same requirement to change old passwords.

I will have much more to say about how often people should change passwords some other day. Quick preview: Once you have a good, memorable, and unique Master Password for 1Password you should keep it for life. For all sites and services, change your password when the administrators of those sites tell you to.

Principal Security Architect

Jeffrey Goldberg - Principal Security Architect Jeffrey Goldberg - Principal Security Architect

Tweet about this post