Re: Desktop/mobile client syncing after password change: security flaw?

Harry K.6 · ‎02-08-2016

Last week I've change my password though the website, at work. On my home computer I have installed the Desktop client. I have not changed a thing and it was syncing without problems.

The same happened with my Dropbox App for my Android phone.

If I ever change the password of my account I was expecting the need to update it everywhere I use it. If, by any change, somebody uses a Desktop/Mobile client and I change my password, this person would be able to keep on using it without problems.

From my point of view, unless I'm missing something, this is a security flaw that must be corrected.

Hope to hear from Dropbox team.

Mark · ‎03-10-2017

@techs2017 if somebody has your password then installing Dropbox is the least of your worries.

Super Users are not employees but the answer is the official one - this isnt a security flaw. Its by design.

When somebody adds Dropbox to their computer you receive an email telling you this has happened, unless you've disabled those security emails in the Account section.

Also, if they did do that then you can unlink the account via the same Account page. For Plus and Business users you can also request that a remote delete is done while unlinking clients.

- - - -

Did this post help you? If so please mark it for some Kudos below.

Did this post fix your issue/answer your question? If so please press the 'Accept as Solution' button to help others find it.

Did this post not resolve your issue? If so please give us some more information so we can try and help - please remember we cannot see over your shoulder so be as descriptive as possible!

View solution in original post

Richard P. · ‎02-08-2016

Its not a security flaw - clients that are connected only use the password for the first time they connect, after that they use a token that they receive on that first authentication. Same goes for all third party apps.

Changing your password does not invalidate these tokens, nor should it.

You can deauthourise tokens and their applications via www.dropbox.com/account#security

Harry K.6 · ‎02-08-2016

I see the point, but I don't agree. Specially since I don't have any option to disable it. The first thing you do when a device is stollen, a security breach happens, is changing your passwords. If the person has your connected device it will not change a thing.

And, apparently, Google (just for instance) agrees with that since I need to re-enter the password. Most likely I could quote other services with the same behaviour.

This is convenience vs security again. I should have, at least, a way to have a secure way instead of a convenient one. If only one, rather have the secure way instead.

Richard P. · ‎02-08-2016

With all due respect, you should be changing your password regularly, as in on a monthly basis - doing that and having to reenter your password on each device can be extremely problematic.

If someone steals your password, no devices are affected anyway as you do not have to enter your account password to use any of them - mobile devices allow you to set a separate PIN, but your account password is never required.

If someone steals your device, they have no access to your password anyway, so disconnecting that device solves the issue.

Harry K.6 · ‎02-08-2016

No disrespect at all. I understand what you are saying. For me it just extends what you have previously stated and, again, I disagree.

I should have the option to revoke all access to my account as soon as I change the password. I'm pretty sure that it's not hard and you could keep using it the way it is and I would change to my way. Everybody would be happy.

Indeed I could change my password daily, which would be a bummer, but since I use a password manager (let's say it is the only way to use secure password updated frequently for several different services) to type again a password for a specific client is not even close to be problematic.

Again, it's a simple feature and both users would be happy. Maybe I am the minority here.

Harry K.6 · ‎02-10-2016

Marcelo R. · ‎07-13-2016

Hi ,

I completely agree with Harry K. I think it should be an option that we could use if we want to: sign off all devices.

Actualy, i found this post while searching for this exact issue: I think I had a password leak and wanted to change it ... just to be safe.

I was amazed.. two days later.. when I saw that my desktop application was still conecting without problems. that was not what I was expecting, when I chaged my password.

Beliving that I was ok , because i changed my password.. i kept it "in the open" for 2 whole days. If at least.. thare were some texto explaining the issue in the change password page...

cheers

Marcelo.

techs2017 · ‎03-10-2017

Hi: Richard P.

I agree with Marcelo, and Harry K.6

so for example: if a thief stole my dropbox password, and before I even notice that, he/she might already install the sync app in his/her pc. now after I change my drobpox password, so the thief can still see the sync the files from his/her pc?

Richard P, if yo still don't think that is a security issue, then I will be shocked. are you in fact dropbox employee? or you just a super dropbox user like us? no offense, but I need email dorpbox support team for the security concern if you are not employee.

Thanks

Mark · ‎03-10-2017

@techs2017 if somebody has your password then installing Dropbox is the least of your worries.

Super Users are not employees but the answer is the official one - this isnt a security flaw. Its by design.

When somebody adds Dropbox to their computer you receive an email telling you this has happened, unless you've disabled those security emails in the Account section.

Also, if they did do that then you can unlink the account via the same Account page. For Plus and Business users you can also request that a remote delete is done while unlinking clients.

- - - -

Did this post help you? If so please mark it for some Kudos below.

Did this post fix your issue/answer your question? If so please press the 'Accept as Solution' button to help others find it.

Did this post not resolve your issue? If so please give us some more information so we can try and help - please remember we cannot see over your shoulder so be as descriptive as possible!

Glen H.3 · ‎06-30-2017

Just stumbled on this, so I'm going to see if I understand it correctly.

It looks to me that the concern one of the users is having is that there is no security option when changing the password so that it will have to be re-entered when using a device. But if I am understanding correctly, that security exists if you unlink the other device(s); a new password will have to be entered for the device to be registered again.

My question is if you unlink the device and then enter the new password from the unlinked device, will it have to re-sync all files? Will files be duplicated? Or will Dropbox recognize all the old files on the device and sync only the newer or updated ones?

Glen D.