Hacker News new | past | comments | ask | show | jobs | submit login

This works, but if you've previously leaked a copy of the old hashes, then old passwords which are still in use are still only as secure as the old hashing mechanism. They won't be running old hashes against Dropbox's live service, they'll be dropping guessed passwords against Dropbox's live service. It doesn't matter if that password is now secured by bcrypt-with-a-hefty-cost-factor wrapped around MD5, improving its security versus being done in just MD5 -- if the password is right then the attacker will get through.



As a Dropbox user I am just going to change it back to my old password anyway.


Why? Use a password manager, then new passwords become free.


I know I should, but I can't bring myself to it.

I'm constantly switching between three OS, two browsers, different, sometimes auto-resetting computers, and it seems to be too much of a hassle.

How do I handle this? The only obvious option is a paper notebook.


LastPass works fine for me in this scenario (plus a mobile device).

I'd rather be on an Open Source password manager, but I've found the sync is always too painful to do yourself.


I'm only on two OSes (Windows, Linux) and predominantly two browsers (FF, Chrome), but Keepass (Works in Windows and Linux - pretty sure Mac too) + KeepassHttp plugin + PassIFox [1] + ChromeIPass [2] works for me.

I find it also nicer than LastPass as it combines with the native password saving of FF/Chrome rather than the highjacking and restyling of input boxes that look like user/passwords done by LastPass.

  [1]: https://github.com/pfn/passifox
  [2]: https://chrome.google.com/webstore/detail/chromeipass/ompiailgknfdndiefoaoiligalphfdae/related?hl=en-US


KeepassHttp is not even a little bit secure if run over a network, see for example: https://github.com/pfn/keepasshttp/issues/258

It's probably fine so long as both your 'client' and 'server' are on localhost, but it'll probably never be secure if the server is exposed to the internet.


I regularly switch between a MacBook for work, Linux desktop at work, Windows 10 home machine, iMac home machine, iPad, and iPhone, using at least two browsers on each (Chrome/Safari or Chrome/Edge) and often two Chrome profiles.

I use 1Password with the encrypted vault synced to Dropbox and it works wonderfully well. 1Password has native apps / browser extensions for all of those platforms (except Linux local app where they support and recommend using Wine).


I use KeePass with Keepass2Android (which has Dropbox integration), and Firefox Sync. You can log in to Firefox Sync and all your passwords will be there with you, but the canonical storage is KeePass. If I'm at a resetting computer, I just type it by hand from the mobile phone. It's not quite as convenient as using one password for everything, but it's a little bit less convenience for orders of magnitude more security.


This becomes tough when my passwords are synced via my dropbox account. I need to memorize my app store and dropbox passwords, the rest of "free".


Not unless you make sure you backup your password file somewhere other than dropbox. It doesn't even have to be very often, just whenever you update your Dropbox password (for example).


A good PM would state in the specs to check the new password isn't the same as the old one.


It's the same thing if the user re use their password though.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: