Don't blame Dropbox: It's all your fault

If Dropbox is correct that the Pastebin file of passwords were all reused from other services then they are innocent. The users involved are guilty of laziness.

Read this

Make your cloud safer: How to enable two-factor authentication for the most popular cloud services

Step-by-step instructions to help you tighten security and dramatically reduce the risk that crucial cloud services will be compromised. If you use a Microsoft or Google account, Office 365, Dropbox, Facebook, or Twitter, keep reading.

Read More

Do you reuse passwords? In other words, do you have the same password on more than one account? If so, you're opening yourself up to attacks from which the service cannot protect you. This is what appears to have happened with Dropbox.

When a Pastebin post full of Dropbox usernames and passwords was revealed, the default conclusion was that Dropbox got hacked. Of course this is inherently bad logic, as circumstances showed. I'm not vouching for the accuracy of Dropbox's claim that the usernames and passwords were taken from other sites and then tested against Dropbox, but it's a perfectly plausible, even likely scenario.

The attackers could have collected the usernames and passwords using any number of methods. The Dropbox claim that they "were stolen from unrelated services" is a bit unfair, as they may just as easily have been stolen from the users of those services. This could have been done with phishing, with keylogger malware or with a dictionary attack, as well as by hacking those other services.

The overwhelming majority of users reuse passwords. It's only fairly recently that I have not been reusing any at all. It took a concerted effort and the assistance of a password manager program, LastPass in my case. With over 200 accounts it would be impossible for me to remember even easy passwords, and my passwords aren't easy; also thanks to my password manager they are all something like '1J!!5i4Psf3%'.

The emphasis in the Dropbox blog and a lot of other articles I've read is that the solution is that you should be using two-factor authentication. No question, two-factor authentication is a great thing, and I use it too. Even with a weak, reused password, two-factor authentication can protect an account, not to make excuses for weak, reused passwords. But it can be cumbersome to set up your Dropbox account with two-factor authentication and your Twitter account with two-factor authentication and your Google account with two-factor authentication, and so on. You may end up needing multiple devices as a second factor. My own solution there is to use two-factor authentication with my LastPass account (specifically I use Duo Security).

But even without two-factor authentication, you're still protected against this sort of attack, and many others, by using unique passwords on all accounts. You need to do this, and the only way to do it is with a password manager, so you need a password manager. Get to it. The next time you can't say you weren't warned.