This week has seen not one, but two password security concerns come up. Both of these concerns, however, regard long overdue news updates about two online services.
The first is Dropbox, the popular third-party cloud storage service. Dropbox announced this week that a 2012 security breach of its passwords saw 68 million passwords and logins stolen. That’s much broader than was initially thought. The Verge states that would be a whopping two-thirds of the Dropbox user base back then.
Dropbox has set about emailing everyone about the breach. They’re also resetting passwords on accounts whose passwords haven’t been changed since 2012. However, if it’s been awhile since you’ve changed your Dropbox password, or also used it on another service, it’s probably a good idea to change it anyway. If possible, setting up two-factor authentication would be an even better idea.
The second security violation reported this week comes from music scrobbling service Last.fm. Similar to Dropbox, Last.fm reports that they also had a breach in 2012. However, they’ve only revealed today how many passwords were stolen: over 43 million. The means Last.fm used to encrypt the passwords (MD5) also isn’t particularly robust or secure by today’s standards.
Again, it’s advised for Last.fm users to change their passwords. Unlike Dropbox, the service doesn’t offer (as far as I know) two-factor authentication. Then again, I don’t think Last.fm is as popular as it once was, largely in the pre-Spotify era. Still, even older accounts can pose a security risk.
As for passwords, see my earlier posts about which ones to avoid. LastPass is a pretty good password generator and storage manager. While LastPass had its own password reset last year (as a security measure), it’s still well run as a service. Other options include 1Password and KeePass.
What do you use to keep track of passwords, if anything?