Hacker News new | ask | show | jobs
by rvnx 778 days ago
They were using SHA1, then they migrated.

68 million accounts dumped: https://www.theguardian.com/technology/2016/aug/31/dropbox-h...

https://www.troyhunt.com/the-dropbox-hack-is-real/

now they first hash the password using SHA512 (with a per-account salt)

then they hash the password with bcrypt (with the default strength)

then they encrypt the password with a key that the application server runs with, but that is not stored in the database.

So yes, hashed and salted.
3 comments
dkyc 778 days ago
This hack seems to affect the Dropbox Sign application, which is based on HelloSign which they acquired a few years ago. It’s still running on the hellosign.com domain and seems mostly separate, so it wouldn’t surprise me if they also store passwords differently.
link
xrisk 778 days ago
That… seems excessive. Is it just security theater or actually useful somehow?
link
zsims 777 days ago
Useful because you can support existing passwords without requiring everyone to login or reset their password. Still has flaws though, like password shucking.
link
SoftTalker 777 days ago
They encrypt the salted password hash?
link