undefined | Better HN

0 pointsrvnx1y ago0 comments

They were using SHA1, then they migrated.

68 million accounts dumped: https://www.theguardian.com/technology/2016/aug/31/dropbox-h...

https://www.troyhunt.com/the-dropbox-hack-is-real/

now they first hash the password using SHA512 (with a per-account salt)

then they hash the password with bcrypt (with the default strength)

then they encrypt the password with a key that the application server runs with, but that is not stored in the database.

So yes, hashed and salted.

0 comments

dkyc1y ago

This hack seems to affect the Dropbox Sign application, which is based on HelloSign which they acquired a few years ago. It’s still running on the hellosign.com domain and seems mostly separate, so it wouldn’t surprise me if they also store passwords differently.

xrisk1y ago

That… seems excessive. Is it just security theater or actually useful somehow?

zsims1y ago

Useful because you can support existing passwords without requiring everyone to login or reset their password. Still has flaws though, like password shucking.

SoftTalker1y ago

They encrypt the salted password hash?

j / k navigate · click thread line to collapse