"All hashing mechanisms necessarily allow attackers to brute force the hash offline, by going through lists of possible passwords, hashing them, and comparing the result. In this context, secure hashing functions like SHA have a critical flaw for password hashing: they are designed to be fast. A modern commodity CPU can generate millions of SHA256 hashes per second. Specialized GPU clusters allow for calculating hashes at a rate of billions per second."To defend against those types of brute force attacks, Dropbox secures its passwords with a protection scheme that consists of three distinct measures.
- First, the company takes a plaintext password and transforms it into a hash value using SHA 256.
- It takes that hash and hashes it again with bcrypt using a cost of 10 and a unique, per-user salt.
- Finally, Dropbox encrypts the bcrypt hash with AES 256 using a secret key called a pepper, which is stored separately to ensure an attacker can't decrypt the hashes in the event someone compromises the company's password storage.
"Our password hashing procedure is just one of many measures we use to secure Dropbox. We’ve deployed additional safeguards against online brute-force attacks like rate-limiting password attempts, captchas, and a range of abuse mitigations. Like the diagram above, there are many layers to maintaining robust security, and we’re actively investing in all of them."News of this strategy comes less than a month after Dropbox verified the legitimacy of more than 68 million users' login credentials that someone dumped online following a security incident in 2012. Approximately half (32 million) of those leaked passwords were protected with bcrypt, while the company appeared to have secured the rest using SHA 256.