Correct​horse​battery​staple - the guys at Dropbox are funny

Filed Under: Featured, Privacy

Remember that famous xkcd cartoon, suggesting passphrases like "correcthorsebatterystaple" are harder for hackers to crack than the likes of "Tr0ub4dor&3"?

Well, I'm full of admiration for whoever the web developer was at Dropbox who implemented this on their sign-up form...

Animated gif of Dropbox login form

Turns out if you attempt to register "correcthorsebatterystaple" as your password on Dropbox, the site (quite rightly) objects.

Dropbox responds to password

Very droll.

Hat-tip: Reddit.

, , ,

You might like

26 Responses to Correct​horse​battery​staple - the guys at Dropbox are funny

  1. Champ · 1152 days ago

    So is the four word password actually a better choice than the former?

    • wrossmck · 1149 days ago

      The premis is based on the idea that the only 'true' security in password generation is length. not mixing characters (a-zA-Z) with specials (!@£$%^&*()).

      So based on length alone, it will take longer to brute force an attack.

      Not only this, but remembering a phrase such as "correcthorsebatterystaple" is much easier than one of these mixed up passwords. So it reduced the likelihood of a person needing to write it down somewhere (making it more secure, again)

      • Yes, the longer, memorable password is better, but using a well known example is not. Just like p455w0!'d is a bad password.

        Checking a password against a list of well-worn examples and common passwords is a good idea - above and beyond looking for a certain mix of chars or minimum length.

  2. Chas · 1152 days ago

    Yes, it may be comical but is this in itself a security issue? by alerting the prospective user that they have used this password means they must sample each and every password used in the sign-up process, thus they could be recording them. Most systems I use (Forums etc) store passwords hashed with a salt so even the site Administrator does not know what the passwords are that members use. This "validation" must compare the entered password with some form of look-up table to enable it to pop up the silly message.

    As a Dropbox user of long standing, I'm now more than a bit concerned...

    • securemutant · 1152 days ago

      Probably Javascript, so no need to worry...

    • Web Developer · 1152 days ago

      I doubt they are sending anything to server; this would be simple enough to implement in JavaScript. You could compare the typed text against a hard-coded string in a conditional. If it matches, show the message. Given how dynamic the site is, this is probably what is going on.

      No need to send anything to the server so nothing to worry about.

    • guest · 1151 days ago

      Um... this is before the password is transmitted (securely, encrypted with HTTPS), to the server... it's a little piece of client-side Javascript--the web browser *must* know the contents of the password field to transmit it, and the password strength meter uses the contents of the password field to estimate the strength (same with everyone else's password field--Google, Facebook, all of them have the password in plaintext before submission to the server.)

      There's nothing bad about this in terms of security. At all.

    • Vrangpus · 1151 days ago

      How is Dropbox supposed to do the hashing of the salted password - unless you give them the clear text password?

    • King · 1151 days ago

      Almost all web sites do some validation of passwords, so that means they look at what you typed. It doesn't mean they keep it.

      Just because a site stores a hash of your password does not mean they couldn't save the real password if they wanted to. If you type text into a web form and hit a button, the site has access to that text. They probably hash it on the web server and then (presumably) throw away the original. Every time you login, you send your real password to them so they can hash it and compare it to the hash they have on file. So you give it to them every time you login anyway.

      From the animated example in this article, it looks like Dropbox does this check in Javascript in the local browser (before you hit "create account"). Still, that's only the verification that happens in the browser, the password eventually submitted is probably sent to the site for more verification, hashing, and storage.

      This introduces no new access to your password text. Any web site you login on has always had access to your password text, how else could you login? The question is what they do with it and whether they keep it. But they have to look at it for anything to work.

      • Chas · 1150 days ago

        Thanks for allaying my concerns Guys. I should have realised that it was client side scripting that did the checks, I've built enough forms and field validation scripts over the years (in ASP). Duh... :-

    • Jim · 1149 days ago

      For anyone concerned, it *is* implemented in Javascript (as is the password strength meter). It's easy to see by taking a peek at the html code and the "password_strength.js" file that's referenced in there.

      BTW, There's also a special note if you use "Tr0ub4dor&3" or "Tr0ub4dour&3".

  3. So tired · 1152 days ago

    After all, the most important characteristic that makes passwords stronger is LENGTH!

  4. MipsMan · 1152 days ago

    " You wascal wabbit ! " - more succinct ? ( but possibly unknown reference for anyone under 35....)

    • Dan · 1151 days ago

      Sufferin' Succotach. I'm under 35.

      • Moltney Stroom · 1150 days ago, it's "succotash". Perhaps it was a typo error, but based on the epidemic of illiteracy that pervades the Internet, one is tempted to infer that people under 35 are less likely to know how to spell.

        • Tweetypie · 1149 days ago

          In Dan's defence, 'succotash' is hardly a commonly-used word. Picking up on that one forgiveable typo is a bit below the belt. I also take umbrage at your sweeping statement regarding all U35 year olds being illiterate. It's clearly not the case, unless the only place you frequent is youtube.

          I'm under 35 as well, and I remember Sylvester very well thanks.

        • GuyC · 1149 days ago

          Well, did lisp. So Thufferin' thuccotash is more accurate... sorry, just had to clarify! And I'm under 35, but only because I hit that number in about half a year!


    • A. · 667 days ago

      I'm 30 and I grew up on Looney Tunes, as did many of my friends around my age. Not only that, but my best friend's sixth-grader is a big fan. I have a feeling those cartoons are going to be well known for a long time.

  5. Alex W · 1151 days ago

    Well duh. A password comprised from four dictionary words strung together has got to be secure. It's the size that counts, right ladies?

  6. VFAC · 1151 days ago

    I think it is appropriate that passwords be rated on a scale of :
    too weak --> strong --> lol

  7. Jenny Wood · 1149 days ago

    I liked the message, also from dropbox when it was estimating how long it would take to upload my husband's files - This will take a while, so go have a snickers

  8. Stanley · 1143 days ago

    Soon, hackers will do attack comprises of 4 dictionary words strung together. It's only ^4 brute force attempts.

    • Angela · 1127 days ago

      Unless you're using 3 or 5 words, etc, real or made up words, formal or colloquial, your language or another, so on and so forth.

      • Matthew · 703 days ago

        Yep, to the 4th power is all that it would take. If hackers can brute force 1000 attempts/second, and people limit themselves to the 2000 most common words in the English language, a single dictionary attack with the 2000 most common words take 2 seconds and 2000^4 attacks take 550 years.

  9. Smootek · 721 days ago

    Do you guys really not get that its correct horse battery staple and not correcthorsebatterystaple?

    There's a massive difference, and it isn't length.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley