Grade

84/100

B

Grade Breakdown

Username and Password Limitations

Dropbox users log in with their email address and password. There are no minimum password requirements; in testing, the system accepted any length of string with just lower-case letters, which means that an extremely insecure password is possible. Brownie points for a strength meter.

Minus 1 point for no custom username. Minus 1 point for low minimum password length.

3/5

Multi-factor Authentication

Dropbox supports authenticator apps and physical security keys, and SMS can optionally be added as a backup option. The system supports one-time recovery codes.

5/5

"Forgot Login" Flows

Dropbox has one flow for forgotten password. It asks for an email address and sends an email with a password reset link. The message displayed is the same whether or not that email address is associated with the account.

However, this benefit is nullified by the main login page: if someone tries to log in with a valid Dropbox email, a "Welcome back" message is displayed, while if they use an invalid email, they are prompted to create a new account.

The page displayed if an email address associated with a Dropbox account is entered.

The page displayed if an email address not associated with a Dropbox account is entered.

In short: an attacker would have to have compromised a user's email in order to leverage the forgotten flow. However, an attacker can check if an email address is associated with a Dropbox account or not (minus 1 point).

4/5

Account Change Notification

Dropbox sends specific notifications when any of the account information is changed, including an email to the old email address if that was what changed.

5/5

View Login History and Remote Logout

Dropbox shows all current and past devices associated with the account, and allows them to be remotely disassociated.