Dropbox password scam shows up our sloppy infosec
Dropbox, one of the world's best-known cloud storage providers, is the latest victim of a password brea ... Wait. No? No. No, it's not. Dropbox is fine for now. But it's time we had a serious talk about passwords, anyway.
Over the course of a couple of hours on Tuesday afternoon, Australian time, the breaking media story went from Dropbox having been "hacked" and 6,937,081 accounts claimed to have been compromised, to it looking more like someone was just trying to scam us.
Yes, hundreds of alleged Dropbox email addresses and plain-text passwords had been posted online.
Yes, there were people on Reddit claiming that the passwords worked.
Yes, these alleged Dropbox credentials were accompanied by a Bitcoin identifier and an appeal for money.
"THE MORE BTC DONATED WILL REFLECT HOW MANY MORE LOGIN AND PASSWORDS ARE RELEASED PUBLIC," it grammared.
But no, there had not been a hack. At least not of Dropbox.
"Recent news articles claiming that Dropbox was hacked aren't true," the company said in a statement. "Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place, measures that detect suspicious login activity, and we automatically reset passwords when it happens."
So, someone was hoping for free Bitcoin on the the basis of bulldust. Nice.
Media players spread the warning of the potential password breach as quickly as they could — which is sensible — but it means that the debunking followed later, and with less impetus. That doubtless increased the likelihood of people falling for the scam. Indeed, at the time of writing, the scammers have already made 0.0001 BTC, or about five cents. Not quite enough to retire on yet, but watch this space.
Meanwhile, expect another round of news stories reminding people to choose strong passwords, and to turn on two-factor authentication (2FA). Both pieces of advice completely miss the point.
Was that a collective sharp intake of breath I just heard?
Yes, telling users to choose strong passwords and to turn on 2FA misses the point.
Apart from the minuscule minority who have the technical knowledge to make sound security decisions and to know what is and isn't a "good" password, users are at the mercy of the security systems they're given to work with. For the most part, they're rubbish. And for the most part, the advice we give them is also rubbish.
Diogo Mónica, who leads platform security at Square, explained part of the problem in a blog post on Saturday: Advice on how to choose a strong password is generally the wrong advice.
"I think the first step is to stop propagating the idea that there is a way of choosing memorisable passwords that will keep attackers at bay," Mónica wrote.
"We should not be incentivising people to choose passwords in the first place. There are obviously a few situations where memorable passwords are a requirement" — such as a password manager's vault key, or your laptop's password — "but if you write an article about choosing passwords where password managers aren't mentioned even once, you're not helping anyone ... I have seen a lot of stupid password strength forms, but I have never seen one that tells the user generate and store the password in a password manager."
According to Mónica, our Attacker Model is wrong, too. It's time to forget about hashed passwords being brute-forced by a nation-state actor, backed up by hardware grunt — presumably, they've got us all anyway, and there are such things as rainbow tables — and concentrate instead on a password's resistance to a dictionary attack, backed up by the knowledge gained from all those leaks of large password data sets.
"Our focus should be on protecting passwords against informed statistical attacks and not brute-force attacks," Mónica wrote. "The most useful criterion on which to classify the strength of a candidate password is the frequency with which it has appeared in the past."
And that means a very different kind of password-creation form.
This is only half the problem, of course.
The real issue is that password-only authentication must die.
As the smart and glamorous @SwiftOnSecurity tweeted today: "As we move into a world where one compromise of converged cloud services betrays your entire life, 2FA is the only solution. It is required."
Exactly. So why is single-factor authentication even offered as an option in 2014?
The answer, as usual, is that online services are fearful of putting any hurdle, however minor, into the path of sucking ever more customers into their maw. That is to say, they're prioritising their own cancer-like growth rates over the safety of their customers, and they're not being called out on it by a tech press that, by and large, fetishises that growth.
In a world where 2FA tools like Google Authenticator, to mention just one, are free for the using, that's just plain wrong.