September 2, 2012

Making Dropbox even more secure

I love some special people (my Wife, Brother, Family, Friends), but that doesn’t prevent me from using the term “love” for things as well.

Therefore, I also happen to love a few pieces of software, and one of them is Dropbox. What once was a problem on which I would spend countless hours, has been turned into an amazingly simple feature. Your files, synced across devices, effortlessly. It’s not a coincidence that they’ve created this drawing here, showing a happy Dropbox customer, with a little heart floating over his head.

However, a service like Dropbox shouldn’t just be simple to use, it should also be very secure.

Not surprisingly, the Dropbox team invests a lot in security, and they share some details on what they do to make Dropbox secure: - They use modern encryption methods to transfer data to/from the Dropbox service, as well as to store data; - Data transfer connections use Secure Sockets Layer (SSL) and AES-256 bit encryption; - The Dropbox website and the client software are constantly being hardened to enhance security and protect against attacks. - Lately they’ve also introduced a Two-step verification login mechanism (more below). - Public files are only viewable by people who know the link to the resource. - Last, but not least, they are (happy, as far as I know) users of Amazon Web Services. This means that they can benefit from a long list of security features (more details here). As an example, all files stored online by Dropbox are encrypted and kept securely on Amazon’s Simple Storage Service (Amazon S3) in multiple data centers located across the United States.

**At this point, **a question that you should ask yourself is: can I make it more secure? The answer is YES. This is my personal list of things you can do to make Dropbox even more secure.

1. Pick your devices carefully

If you login on Dropbox.com, and then click the “Security” tab, you can see the devices that can currently access your Dropbox account. This one below is a screenshot of my devices.

I found at least two devices that I don’t use anymore, and removed them from the list of authorized devices. Even if you gave those devices to people that you trust, they can be stolen. Therefore, assume that the iPad that you gave to your Dad will eventually be stolen, and that whoever takes it, has the knowledge to access your Dropbox account and steal your files. Does your dad need access to your Dropbox? No? Then, remove the device. Simple as that.

2) Account email

In the same Security page, below your devices, you can see the details of your account sign in.

You shouldn’t use your public email to access Dropbox. Because your email address is public, it can happen that someone decides to attack it to gain control. I created a quite obscure email address, and assigned it to my Dropbox account (to give you an idea, something like: 5tj6yhrg03hf@gmail.com). It should be an email address that you use only for a few important accounts, and that you don’t use to send email to other people. An email account like that is less likely to be the target of attacks, simply because attackers don’t have any way to know what the address is.

3) Account password

How many people use the SAME password for multiple accounts? Yes, many. Perhaps even you! If you don’t want to learn how to use a proper password tool (such as Roboform everywhere, Kaspersky Password Manager, DataVault, etc), at least follow these two simple but very effective tips: a) Use multiple passwords: one for your primary email; a different one for your computer; a different one for your Dropbox account; a different one for your Facebook account; a different one for everything else. b) Use tough passwords, difficult to “crack” or guess: if you don’t have a good memory, try passphrases instead of simple passwords (e.g. “MyLifeIsNice5” is a passphrase, and it’s quite tough to guess or crack, compared to “dolphin74” or “john55”). Also, read this: choosing a good password.

4) Enable Two-Step Verification (TSV) for your Dropbox account

Very recently, Dropbox introduced TSV: it allows you to add a second step to verify your identity when you want to access your Dropbox. Using a Two-Step Verification, also generally called Multi-Factor Authentication (MFA), greatly improves your security. In fact, it’s something that we recommend for Amazon Web Services.

So, in essence, if you enable it, in addition to the (tough, I hope!) password, Dropbox will require an additional six-digit security code whenever you sign in to Dropbox or link a new device. You can choose to receive security codes by text message (SMS) on your phone, or via any Time-Based One-Time Password (TOTP) apps, such as my favorite, Google Authenticator. To enable it, under the “Account sign-in” section that you see above, click “change” on Two-Step verification. You will see this nice picture:

After going through the few simple steps necessary to enable it, at the end you will receive an Emergency backup code:

It’s important that you keep this code in a safe place. You need it if you lose your phone, and want to regain access to your Dropbox.

Note: Writing a code or a password on a piece of paper might be sufficient or not, depending on how “paranoid” you are in terms of security. Me, every time I write things on paper, I apply a simple but powerful string cipher (no, I won’t tell you which one). You can try a Caesar cipher, just for fun. Here’s how to write it in Python:

<code>>>> import string 
>>> alphabet = "abcdefghijklmnopqrstuvwxyz" 
>>> key = 2 
>>> tr = string.maketrans(alphabet, alphabet[key:] + alphabet[:key]) 
>>> "hellothere".translate(tr) 
'jgnnqvjgtg' </code>

In short, you can pass a string, and this program would “shift” the letters by two. It’s called Caesar cipher because Julius Caesar used it as a simple but effective way to cipher his military messages.

5) Enable notifications

Make sure that you receive an email every time a new device, or new application, is connected to your Dropbox account. The reason for this is obvious: if you receive an email, and it wasn’t you, somebody else is accessing your Dropbox account right now. Take action.

6) Periodically check your web sessions and your apps

Take a quick look at the latest web session (again, in the “Security” tab). If something looks wrong, immediately change your password and notify the Dropbox team.

Same goes for the applications that have access to your Dropbox account. I use none, but if you do, take a look and remember to remove the ones that shouldn’t access your account anymore. There’s no reason to add unnecessary risks.

That’s it.

I hope that this list helps. Feel free to comment if you have suggestions, etc.

(Note: Please remember that opinions expressed here are my own, and they are based solely on publicly available information. If you want to know more about Dropbox’s security, don’t base your judgement solely on this blog post, but reach out to Dropbox directly. Similarly, if you want to know more about Amazon Web Services and its security, start from the AWS Security Center.)