14 DAY TRIAL // Dropbox is at the center of yet another security-related incident. This time around, much of it is not Dropbox's fault. But the incident did serve as yet another wake-up call, for both users and the service itself. Users should use this example as a cautionary tale and stop using the same credentials for different services, especially those as sensitive as Dropbox.
At the same time, users should be aware that there is no such thing as perfect security in the cloud and that there is a chance of any data they store on Dropbox to be leaked, hacked, lost and so on.
Two-factor authentication
For Dropbox, it was a clear indication that it needed better user-facing security. And it's doing it. For one, Dropbox is implementing an optional two-factor authentication. This feature will be available in the coming weeks.
It's a popular security improvement these days, pioneered in the big league by Google. Facebook and others offer the option. It works easy enough - when logging in, users have to provide both their password and a one-time code that gets sent to their phones.
The idea is that hackers may be able to get your password, but they won't have access to your phone as well, making the password by itself useless.
The feature can be implemented in several ways. Both Google and Facebook opt for the more user-friendly one where the code is only required when using a new computer or a new browser. Users that want the best security can choose to have to provide the code for each login.
The downside to two-factor authentication is that users have to provide their phone numbers and many people are still skittish about that. But given that they're entrusting much more sensitive data than their phone number to Dropbox, the fear in most cases is irrational.
Better heuristics for detecting suspect login activity
Dropbox will also be implementing algorithms to detect suspicious activity. This can be users logging in from countries they've never been before, or logging in on a computer across the world from one they've logged into just a few minutes ago. There are plenty of other heuristic methods for detecting abnormal login behavior.
Login log page with browser and location information
Dropbox also introduced a log of all website logins. The date, browser and location information is provided for each login. This can be a great tool for spotting strange behavior.
Weak password resets
Finally, Dropbox says it may require some users to change their passwords if it determines it's a commonly used one or hasn't been changed in a while. Dropbox hasn't explained how exactly it's going to check for that.