All you need to know about the Dropbox hack, passwords and end-to-end encryption
The Dropbox story left many puzzled about the security of file sharing services. Read our Q&A to get a deeper insight on why end-to-end encryption is the secure way to share documents and how we make sure your files are safe with Tresorit.
Hackers used a Dropbox employee’s password to get into their corporate network and steal user credentials. Does it mean they got access to my Dropbox files as well?
Due to the encryption methods Dropbox uses, it is possible. Dropbox and other mainstream services use in-transit and at-rest encryption, which means files are encrypted on their way to the servers, then decrypted and encrypted again. These services hold the encryption keys to your files: their system administrators, and those who get access to their servers can access and read them.
How are end-to-end encrypted services, like Tresorit, different from the rest? What would happen if one of their IT admins was hacked?
Contrary to Dropbox, hackers cannot read your files without knowing your password if you use these services. End-to-end encrypted services, like Tresorit, do not hold the encryption keys that open your files, so in case of a breach into their servers, your files would still be safe.
With end-to-end encryption based on zero-knowledge methods, all the encryption happens on your computer, neither your files, nor your password leaves your device unencrypted.
Important: You still need to have a strong password though – if you don’t set a strong password, encryption cannot protect you as securely as it could. Using a strong password is your responsibility.
But my Dropbox password is also strong, will hackers still be able to see my files?
When hackers breach into the servers of a mainstream service provider, password strength doesn’t matter. Dropbox holds the encryption key to your files, if unauthorized people get access to their servers, they might be able to get to the files as well.
What would happen if my Tresorit password got leaked? Does password strength matter there?
Similar to other services, we salt and hash passwords using strong industry standard algorithms. In case of a breach, only the hashed passwords can be leaked. If this happened, hackers could only access and read your files only when they would be able to reverse your password. That is why password strength is crucial. In case you have strong passwords, it is nearly impossible to reverse them. However, if you use a weak password, hackers would have a better chance.
Does Tresorit manage passwords differently than Dropbox?
Our service is based on a more secure, “zero-knowledge” method: we never see your password in plaintext or in a reversible format, we simply don’t know it. Dropbox hashes the passwords on their servers, so they can access the plaintext passwords. In contrast, Tresorit hashes passwords before they are uploaded to our servers and then one more time again using a complex method.
What does Tresorit do to make users take the needed steps for security?
We strongly encourage users to switch on 2FA as an additional layer of protection, while Tresorit for Business users are also able to enforce 2FA for their team as a security policy. We have strict password requirements: passwords should be at least 8 characters long, include capitals, lower case letters and numbers, and we also notify you when your password is not strong enough (for example contains frequently used words).
Has anyone checked Tresorit’s end-to-end encryption methods?
Our end-to-end encryption was proved to be unbreakable by more than 1000 specialists (including MIT and Stanford researchers) in a hacker challenge.
OK, so what should I do now?
If you are looking for a secure alternative after the Dropbox hack story, take a look at our checklist to see what you should look for. To know more about the signs your password is treated securely, read our blogpost.
If you want to replace Dropbox with something safer, switch to Tresorit today.
If you are already using Tresorit, make sure your password is strong enough and turn on 2-step verification.