How Dropbox securely stores your passwords

It’s universally acknowledged that it’s a bad idea to store plain-text passwords. If a database containing plain-text passwords is compromised, user accounts are in immediate danger. For this reason, as early as 1976, the industry standardized on storing passwords using secure, one-way hashing mechanisms (starting with Unix Crypt). Unfortunately, while this prevents the direct reading of passwords in case of a compromise, all hashing mechanisms necessarily allow attackers to brute force the hash offline, by going through lists of possible passwords, hashing them, and comparing the result. In this context, secure hashing functions like SHA have a critical flaw for password hashing: they are designed to be fast.

Read more

Going deeper with Project Infinite

Last month at Dropbox Open London, we unveiled a new technology preview: Project Infinite. Project Infinite is designed to enable you to access all of the content in your Dropbox—no matter how small the hard disk on your machine or how much stuff you have in your Dropbox. Today, we’d like to tell you more—from a technical perspective—about what this evolution means for the Dropbox desktop client.

Traditionally, Dropbox operated entirely in user space as a program just like any other on your machine. With Dropbox Infinite, we’re going deeper: into the kernel—the core of the operating system.

Read more

What do you mean ‘we need more time’??

Project Schedule Estimation in Software Development

In tech, we spend little time talking about the softer skills like communication, project management, and prioritization. These are the skills that elevate someone from a good programmer to a great software engineer. Today, I’m going to focus on one aspect of project management that we’re famously bad at — the art of estimating a project schedule.

If there’s any doubt that this is a necessary skill, just consider that dreaded but frequently-asked question “How long will it take?” Even if you’re uber-Agile and don’t believe in far-off project deadlines,

Read more

Welcome Guido!

 

 

Today we’re excited to welcome a new member of the Dropbox family under unusual circumstances. Though he’s joining us now, his contributions to Dropbox date back to day one, all the way to the very first lines of code.

Some people only need to be introduced by their first name, and the BDFL is one of them. Dropbox is thrilled to welcome Guido, the creator of the Python programming language and a long-time friend of ours.

From the beginning,

Read more

Plop: Low-overhead profiling for Python

It’s almost time for another Hack Week at Dropbox, and with that in mind I’d like to present one of the projects from our last Hack Week.

A profiler is an indispensable tool for optimizing programs.  Without a profiler, it’s hard to tell which parts of the code are consuming enough time to be worth looking at.  Python comes with a profiler called cProfile, but enabling it slows things down so much that it’s usually only used in development or simulated scenarios, which may differ from real-world usage.

At our last hack week, I set out to build a profiler that would be usable on live servers without impacting our users.  

Read more

zxcvbn: realistic password strength estimation

Over the last few months, I’ve seen a password strength meter on almost every signup form I’ve encountered. Password strength meters are on fire.

Here’s a question: does a meter actually help people secure their accounts? It’s less important than other areas of web security, a short sample of which include:

  • Preventing online cracking with throttling or CAPTCHAs.
  • Preventing offline cracking by selecting a suitably slow hash function with user-unique salts.
  • Securing said password hashes.

With that disclaimer — yes. I’m convinced these meters have the potential to help.

Read more