Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What really bothers be about this is that Dropbox hasn't bothered to reset the sessions. Even after I manually reset my password (which I wasn't prompted or forced to do btw), all my apps (iPhone, desktop etc) that have existing sessions wasn't expired. So for all I know, a hacker might already have an open session to my Dropbox and changing the password will not fix that

Clarification edit: I did receive the e-mail from Dropbox letting me know that I should change my password, but when visiting dropbox.com I was already logged in and wasn't prompted to perform the pw reset



I'm a lead at Syncplicity, a prominent competitor. Early in my career at Syncplicity I changed all of our desktop clients to use long-lived sessions that do not reset when the user's password is changed.

For us, this is deliberate for a few reasons. Most of our customers authenticate via their employer's SSO (single sign on) and do not use any Syncplicity password management. We also do not believe that routine password maintenance should force someone to run around and re-authenticate all their computers. (Like Dropbox, a user can log into our web site and remove computers from their account.)

I do understand the argument that a password change should force a re-authentication on all clients; but I don't think it's the right approach. Changing a password is reactionary and preventative. An email notification will inform a user that his or her account is compromised.


Maybe one could add a checkbox to allow users to do that when they want to. My Skype password was recently hacked and I'm very very happy that I could via one command logout all the clients. Sometimes it's a feature you really really want to react fast.


Personally I like a "revoke all clients" button in addition to the system you describe.


Is there a way to force the clients to be disconnected? I'm not a customer of you or dropbox.


You can see all the existing sessions and authorised applications from their website. It is not perfect and it is extra work to go through those and delete them, but at least there is a way.


I recently unlinked all my Dropbox sessions that were older than one month, which was a staggeringly high number to tell the truth. It would have been nice (and faster!) to have had a "panic button" that let me unlink everything all at once and only relink the things I needed to relink.


https://www.dropbox.com/account#security

Unlink the device to restart the session.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: