You might see that the Dropbox Community team have been busy working on some major updates to the Community itself! So, here is some info on what’s changed, what’s staying the same and what you can expect from the Dropbox Community overall.

Forum Discussion

Harry K.6's avatar
Harry K.6
New member | Level 1
9 years ago

Desktop/mobile client syncing after password change: security flaw?

Last week I've change my password though the website, at work. On my home computer I have installed the Desktop client. I have not changed a thing and it was syncing without problems. 

The same happened with my Dropbox App for my Android phone.

If I ever change the password of my account I was expecting the need to update it everywhere I use it. If, by any change, somebody uses a Desktop/Mobile client and I change my password, this person would be able to keep on using it without problems. 

From my point of view, unless I'm missing something, this is a security flaw that must be corrected. 

Hope to hear from Dropbox team.

  • techs2017 if somebody has your password then installing Dropbox is the least of your worries.

     

    Super Users are not employees but the answer is the official one - this isnt a security flaw. Its by design. 

     

    When somebody adds Dropbox to their computer you receive an email telling you this has happened, unless you've disabled those security emails in the Account section. 

     

    Also, if they did do that then you can unlink the account via the same Account page. For Plus and Business users you can also request that a remote delete is done while unlinking clients.

  • Harry K.6's avatar
    Harry K.6
    New member | Level 1

    I see the point, but I don't agree. Specially since I don't have any option to disable it. The first thing you do when a device is stollen, a security breach happens, is changing your passwords. If the person has your connected device it will not change a thing. 

    And, apparently, Google (just for instance) agrees with that since I need to re-enter the password. Most likely I could quote other services with the same behaviour. 

    This is convenience vs security again. I should have, at least, a way to have a secure way instead of a convenient one. If only one, rather have the secure way instead.

  • Harry K.6's avatar
    Harry K.6
    New member | Level 1

    No disrespect at all. I understand what you are saying. For me it just extends what you have previously stated and, again, I disagree.

    I should have the option to revoke all access to my account as soon as I change the password. I'm pretty sure that it's not hard and you could keep using it the way it is and I would change to my way. Everybody would be happy. 

    Indeed I could change my password daily, which would be a bummer, but since I use a password manager (let's say it is the only way to use secure password updated frequently for several different services) to type again a password for a specific client is not even close to be problematic. 

    Again, it's a simple feature and both users would be happy. Maybe I am the minority here. 

  • Marcelo R.'s avatar
    Marcelo R.
    New member | Level 1

    Hi ,

     

    I completely agree with Harry K. I think it should be an option that we could use if we want to: sign off all devices.

     

    Actualy, i found this post while searching for this exact issue: I think I had a password leak and wanted to change it ... just to be safe. 

    I was amazed.. two days later.. when I saw that my desktop application was still conecting without problems. that was not what I was expecting, when I chaged my password.

    Beliving that I was ok , because i changed my password.. i kept it "in the open" for 2 whole days. If at least.. thare were some texto explaining the issue in the change password page...

    cheers

     

    Marcelo.

     

  • Richard P.'s avatar
    Richard P.
    Icon for Super User alumni rankSuper User alumni

    Its not a security flaw - clients that are connected only use the password for the first time they connect, after that they use a token that they receive on that first authentication.  Same goes for all third party apps.

    Changing your password does not invalidate these tokens, nor should it.

    You can deauthourise tokens and their applications via www.dropbox.com/account#security

  • Richard P.'s avatar
    Richard P.
    Icon for Super User alumni rankSuper User alumni

    With all due respect, you should be changing your password regularly, as in on a monthly basis - doing that and having to reenter your password on each device can be extremely problematic.

    If someone steals your password, no devices are affected anyway as you do not have to enter your account password to use any of them - mobile devices allow you to set a separate PIN, but your account password is never required.

    If someone steals your device, they have no access to your password anyway, so disconnecting that device solves the issue.

     

  • techs2017's avatar
    techs2017
    New member | Level 2

    Hi: Richard P.

     

    I agree with Marcelo, and Harry K.6 

    so for example:  if a thief stole my dropbox password, and before I even notice that, he/she might already install the sync app in his/her pc. now after I change my drobpox password, so the thief can still see the sync the files from his/her pc?

     

    Richard P, if yo still don't think that is a security issue, then I will be shocked. are you in fact dropbox employee? or you just a super dropbox user like us? no offense, but I need email dorpbox support team for the security concern if you are not employee.

     

    Thanks

     

     

     

  • Mark's avatar
    Mark
    Icon for Super User II rankSuper User II

    techs2017 if somebody has your password then installing Dropbox is the least of your worries.

     

    Super Users are not employees but the answer is the official one - this isnt a security flaw. Its by design. 

     

    When somebody adds Dropbox to their computer you receive an email telling you this has happened, unless you've disabled those security emails in the Account section. 

     

    Also, if they did do that then you can unlink the account via the same Account page. For Plus and Business users you can also request that a remote delete is done while unlinking clients.

    • Glen H.3's avatar
      Glen H.3
      New member | Level 2

      Just stumbled on this, so I'm going to see if I understand it correctly.

       

      It looks to me that the concern one of the users is having is that there is no security option when changing the password so that it will have to be re-entered when using a device.  But if I am understanding correctly, that security exists if you unlink the other device(s); a new password will have to be entered for the device to be registered again.  

       

      My question is if you unlink the device and then enter the new password from the unlinked device, will it have to re-sync all files?  Will files be duplicated?  Or will Dropbox recognize all the old files on the device and sync only the newer or updated ones?

       

      Glen D.

  • sooby's avatar
    sooby
    New member | Level 2

    If I change my google password, all devices connected to my google account will not allow me to access my gmail unless I enter the new password. I have two laptops (one windows and one macos) connected to dropbox (using client dropbox). Today, I chabnged my password going to the dropbox website. But my windows laptop (which has the old password)( is syning as usual as if nothing happened. This got to be a bad security flaw.

    • Stuart_'s avatar
      Stuart_
      Explorer | Level 4

      Even Microsoft has abandoned the obsolete security practice of changing passwords frequently and it's no longer part of their security baseline. It's been in the news for some time.

      In this case, Dropbox handles this poorly. Everywhere else, changing a password in one place requires updating it everywhere else. It is far too easy to miss a place, and checking some random list (this is the first I've heard of it, and I've been using Dropbox for years) that isn't prominently displayed and part of the onboarding tutorial is both a UI mistake as well as a policy mistake. Companies should always act in the best security interests of customers, and allowing a token to continue operating is a direct contradiction.

      Please revisit this decision.

      https://www.computerworld.com/article/3391365/microsoft-tells-it-admins-to-nix-obsolete-password-reset-practice.html

      Thank you.

      • Jane's avatar
        Jane
        Icon for Dropbox Staff rankDropbox Staff
        Hey Stuart_, thanks for sharing your thoughts with us, that’s some great feedback! Positive or negative, everything you're sending us over helps us paint a clearer picture of what could enhance the way you’re interacting with Dropbox. 
         
        I’ve made a note of your observations here in my report internally for future iterations & I'm always here if you need further assistance from me in any way. Thanks for choosing Dropbox & have a lovely week ahead!