Dropbox's Layered Approach to Password SecurityAfter Mega Data Breaches, Dropbox Strategy Has 'Grown Up Quite a Bit'
Dropbox has battened down its security hatches. There's good reason: The company was one of many this year that have faced nightmarish news that rumors of a password breach were, in fact, true. It's still unclear how Dropbox and companies including Yahoo, LinkedIn, MySpace and Twitter were hacked, or why the stolen data only circulated more widely several years after the intrusions. But the revelations have unnerved web services companies and spurred a new urgency around securing passwords.
Dropbox's intrusion was isolated to around mid-2012, an era that Rajan Kapoor, the company's senior manager for trust and security, says was a very immature time for cloud services. Since then, security has "grown up quite a bit," he says.
"The industry on the whole has learned a lot of lessons since 2012," Kapoor says. "Dropbox specifically has matured our security capabilities tremendously."
The password breach occurred around the same time as another security incident that became public. An attacker managed to compromise a Dropbox employee's credentials and stole a project document that contained user email addresses. Some users began receiving spam in German, English and Dutch advertising gambling websites.
Dropbox quickly shut down the spam and reset some user accounts after compromised credentials from other services had been successfully re-used. Although the circumstances aren't clear, it's possible that the compromised employee account was used to move laterally through Dropbox's system.
Kapoor says that the attackers eventually reached Dropbox's analytics tools. It's classic attack methodology: Use one compromised endpoint to move laterally through a victim's systems in search of sensitive information. The full scope of the breach did not become clear until four years later, when it was determined that credentials for 69 million accounts had been stolen, Dropbox said in August (see Dropbox's Big, Bad, Belated Breach Notification).
Locked Down Passwords
When the breach occurred, Dropbox was transitioning to stronger password security. Passwords can't be stored in plaintext, so they're processed with a one-way deterministic algorithm to produce a hash.
Analysis of the 2012 breach showed that some of Dropbox's passwords had been hashed with SHA-1, an algorithm that is considered insecure. Other passwords had been hashed with bcrypt, which is considered much more secure.
In an effort to restore confidence, Dropbox has taken the fairly unusual step of describing how it now secures passwords. It takes a layered onion approach that it hopes will mean that even if it experiences another breach, the information obtained will be useless. The steps were outlined in a Sept. 21 blog post.
Here's Dropbox's recipe: Plain-text passwords are first hashed with SHA-512. That result is then run through bcrypt with a per-user salt. Salt refers to unique values that are added to a cryptographic output that forces attackers to take more time. Plus, greater computing power is needed to guess what the hash represents. That value is then encrypted with AES256. The secret key used for the AES256 encryption - which Dropbox refers to as a "pepper" - is stored in a separate location.
If a password table was leaked, the information wouldn't be useful without the pepper, Kapoor says. As an additional defensive measure in the event of a breach, Dropbox could rotate the pepper and re-encrypt the hashes, which would block attackers from using the data they obtained, even if they were able to decrypt it, he says.
The company is already thinking about how to make this system more secure. It is considering storing the pepper in a hardware security module - a device designed to provide maximum security to data such as encryption keys. Plans are also already in the works to increase the strength of its bcrypt implementation.
Halting Lateral Movement
To prevent an intruder from laterally moving through its systems, Dropbox has also mandated its employees and engineers use two-factor authentication. "Just because you've authenticated once in one area, we do not infer that to mean you are authenticated to access anything else," Kapoor says.
Two-factor authentication has the potential to be irritating: Users are asked to fill in their normal login credentials plus a time-sensitive code. For engineers moving back and forth between different development and production systems, asking for that code every time is burdensome. But it's also essential.
"That can be pretty annoying for engineers," Kapoor says. "If they need to get into analytics four times in an hour and they've got to supply 2FA code each time, it's going to slow them down."
To reduce fiction around that process, Dropbox employees are assigned USB drives that generate the one-time passcodes. Once inserted into a computer, employees just need to tap a button to deliver the code.
But Dropbox users haven't embraced two-factor authentication as much as the company would like. Kapoor says a single digit percentage uses two-factor authentication, a figure that it would like to see increase. In August, Dropbox broadened its support for two-factor authentication, announcing compatibility with hardware security keys using the open FIDO Universal 2nd Factor (U2F) standard.