Remember that famous xkcd cartoon, suggesting passphrases like "correcthorsebatterystaple" are harder for hackers to crack than the likes of "Tr0ub4dor&3"?
Well, I'm full of admiration for whoever the web developer was at Dropbox who implemented this on their sign-up form...
Turns out if you attempt to register "correcthorsebatterystaple" as your password on Dropbox, the site (quite rightly) objects.
Very droll.
Follow @gcluley
Hat-tip: Reddit.
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
So is the four word password actually a better choice than the former?
The premis is based on the idea that the only 'true' security in password generation is length. not mixing characters (a-zA-Z) with specials (!@£$%^&*()).
So based on length alone, it will take longer to brute force an attack.
Not only this, but remembering a phrase such as "correcthorsebatterystaple" is much easier than one of these mixed up passwords. So it reduced the likelihood of a person needing to write it down somewhere (making it more secure, again)
Yes, it may be comical but is this in itself a security issue? by alerting the prospective user that they have used this password means they must sample each and every password used in the sign-up process, thus they could be recording them. Most systems I use (Forums etc) store passwords hashed with a salt so even the site Administrator does not know what the passwords are that members use. This "validation" must compare the entered password with some form of look-up table to enable it to pop up the silly message.
As a Dropbox user of long standing, I'm now more than a bit concerned...
Probably Javascript, so no need to worry...
I doubt they are sending anything to server; this would be simple enough to implement in JavaScript. You could compare the typed text against a hard-coded string in a conditional. If it matches, show the message. Given how dynamic the site is, this is probably what is going on.
No need to send anything to the server so nothing to worry about.
Um... this is before the password is transmitted (securely, encrypted with HTTPS), to the server... it's a little piece of client-side Javascript--the web browser *must* know the contents of the password field to transmit it, and the password strength meter uses the contents of the password field to estimate the strength (same with everyone else's password field--Google, Facebook, all of them have the password in plaintext before submission to the server.)
There's nothing bad about this in terms of security. At all.
How is Dropbox supposed to do the hashing of the salted password - unless you give them the clear text password?
Almost all web sites do some validation of passwords, so that means they look at what you typed. It doesn't mean they keep it.
Just because a site stores a hash of your password does not mean they couldn't save the real password if they wanted to. If you type text into a web form and hit a button, the site has access to that text. They probably hash it on the web server and then (presumably) throw away the original. Every time you login, you send your real password to them so they can hash it and compare it to the hash they have on file. So you give it to them every time you login anyway.
From the animated example in this article, it looks like Dropbox does this check in Javascript in the local browser (before you hit "create account"). Still, that's only the verification that happens in the browser, the password eventually submitted is probably sent to the site for more verification, hashing, and storage.
This introduces no new access to your password text. Any web site you login on has always had access to your password text, how else could you login? The question is what they do with it and whether they keep it. But they have to look at it for anything to work.
Thanks for allaying my concerns Guys. I should have realised that it was client side scripting that did the checks, I've built enough forms and field validation scripts over the years (in ASP). Duh... :-
For anyone concerned, it *is* implemented in Javascript (as is the password strength meter). It's easy to see by taking a peek at the html code and the "password_strength.js" file that's referenced in there.
BTW, There's also a special note if you use "Tr0ub4dor&3" or "Tr0ub4dour&3".
After all, the most important characteristic that makes passwords stronger is LENGTH!
" You wascal wabbit ! " - more succinct ? ( but possibly unknown reference for anyone under 35....)
Sufferin' Succotach. I'm under 35.
...er, it's "succotash". Perhaps it was a typo error, but based on the epidemic of illiteracy that pervades the Internet, one is tempted to infer that people under 35 are less likely to know how to spell.
In Dan's defence, 'succotash' is hardly a commonly-used word. Picking up on that one forgiveable typo is a bit below the belt. I also take umbrage at your sweeping statement regarding all U35 year olds being illiterate. It's clearly not the case, unless the only place you frequent is youtube.
I'm under 35 as well, and I remember Sylvester very well thanks.
Well, did lisp. So Thufferin' thuccotash is more accurate... sorry, just had to clarify! And I'm under 35, but only because I hit that number in about half a year!
:-D
Well duh. A password comprised from four dictionary words strung together has got to be secure. It's the size that counts, right ladies?
I think it is appropriate that passwords be rated on a scale of :
too weak --> strong --> lol
I liked the message, also from dropbox when it was estimating how long it would take to upload my husband's files - This will take a while, so go have a snickers
Soon, hackers will do attack comprises of 4 dictionary words strung together. It's only ^4 brute force attempts.
Unless you're using 3 or 5 words, etc, real or made up words, formal or colloquial, your language or another, so on and so forth.