Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security IT

Dropbox Adds Two-Factor Authentication 64

Posted by samzenpus from the checking-it-twice dept.
angry tapir writes "File-sharing service Dropbox is now offering two-factor authentication, a system that makes it much harder for hackers to capture valid credentials for a person's account. Dropbox, one of the most widely used web-based storage services, said last month it planned on introducing two-factor authentication after user names and passwords were stolen from another website and used to access accounts."
This discussion has been archived. No new comments can be posted.

Dropbox Adds Two-Factor Authentication More

Dropbox Adds Two-Factor Authentication

Comments Filter:

  • No solution to the real problem (Score:4, Interesting)

    by robmv ( 855035 ) on Monday August 27, 2012 @09:52AM (#41136165)

    Someone will hack them and will export the shared secret used for RFC 6238 TOTP: Time-Based One-Time Password Algorithm [ietf.org]. Two factor authentication job is to protect the user, It doesn't make Dropbox security practices better, and they already demostrated are bad

  • But did they actually make it any more secure (Score:1, Interesting)

    by Anonymous Coward on Monday August 27, 2012 @10:33AM (#41136461)

    Great, but is it still the case you can just copy %APPDATA%\Dropbox\config.db to any computer and have instant access with no visibility that the credential is being double-used and no way to revoke or invalidate it?

    http://dereknewton.com/2011/04/dropbox-authentication-static-host-ids/

    Why would someone implement a keystroke logger if they can just steal this file and have unlimited future access with complete stealth? Sounds like this just makes it harder to remotely brute force against DB servers to login.

  • Re:No solution to the real problem (Score:4, Interesting)

    by yishai ( 677504 ) on Monday August 27, 2012 @10:39AM (#41136519)

    Dropbox wasn't hacked in the prior attack. Also, in a successful attack now you have two different products you have to find a security exploit on. Just throwing up your hands and saying 'everything can be hacked' isn't a security methodology.

    The problem is that in the Dropbox company it was fine to just make a drop box account with some password that you reuse elsewhere. That is the fundamental problem. They don't have their employees use KeePass, or 1Password or something similar and generate random passwords that they change routinely, or any of these other security practices that would have prevented this attack without the two factor authentication. Dropbox is a huge target and does not have the expertise to play in that league (evidenced by the fact that they needed outside help to figure out this attack). I think the two factor authentication is a good thing, but if they think "OK, problem solved" then it is not helping them. There is no replacement for good security practices, especially in a company with such a high profile.

Slashdot Top Deals

UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn

Close