Forced password resets: you're doing it wrong

2012-09-23 22:23

For the most part, I really like Dropbox, but it seems to me that their recent decision to roll out forced password changes is… poorly implemented.

First off, breaking on the first use is never a good design. Sure, in this case I just wanted to mess around with something on a spare tablet, but what if I’d actually needed to get something done? Suddenly I’ve got a large and possibly non-trivial delay before I can get anything done. If I don’t happen to be near my email, Bad Things Happen.

Secondly, the mechanism selected is a password reset. As in: Email is sent to my listed email address, which allows setting a new password on the account. What this means is that if this gets triggered at a time when I cannot easily get to my email, I’m in trouble. It gets worse; if this gets triggered at a time when someone else can get to my email, they’ve just been given complete access to the account, along with the ability to lock me out.

Password resets, without checking for access to existing passwords, are a last resort; they should never happen automatically without any previous discussion with the user as to whether that is what the user wants.

There are some interesting bits; I didn’t get the confirmation emails for a while (probably because of greylisting), so I tried an alternative method they offer, which is to log in using the old password, then create a directory with a suitably arbitrary name using one of your existing machines. Clever!

But on the whole, this is not how security should be done. Forced password resets are pretty questionable; they tend to result in passwords being written down (bad), or following easily-derived patterns (very bad). But mostly… There should never be a time when your first awareness of a password reset is that you can’t use the service. That is a bad way to make things work.

Peter Seebach

---

Comment

  1. Dropbox forced password change? What are you talking about? I haven’t had to change my Dropbox password, nor does a Google search find anything about that.

    The only thing I did find is their most recent blog entry, that they are now offering optional 2-step verification.

    Dave Leppik · 2012-09-24 09:08 · #

  2. Interestingly, they don’t seem to directly mention it, but I found mention of the Dropbox password expiration on another company’s blog. Searching on “dropbox password expired” turns up a ton of forum hits on it in September.

    So far as I can tell, the trigger for it was logging in on a new device.

    seebs · 2012-09-24 12:22 · #

 
---