The 85,100 Passwords Forbidden by @Dropbox

It’s amazing what you can learn about a mobile app using a zip utility and a text editor.

As someone who has spent years working in the mobile app security space, my two favorite Windows tools are 7-zip and Notepad++. Why? Because every .ipa file you download from iTunes and every .apk file you download from Google Play is just a zip file by another name.

When you unzip one of these apps and start examining the contents with your text editor, you can learn a lot about how the app was put together, including some of the security tricks used by the developers.

Take the Dropbox app, for example.

In the Dropbox app / zip-file, you’ll find a folder named assets. In the assets folder, you’ll find a subfolder named js (JavaScript?), and in that folder you’ll find a single file named pw.html.

If you’ve worked in infosec for more than 3 minutes, those two letters (pw) should instantly trigger one word in your mind: password.

If you open that HTML file, you’ll find an elegant bit of JavaScript that’s all of 52 lines long. The purpose of that script? To make sure that Dropbox users who are registering their accounts from within the mobile app choose a strong password.

Yay, security!

(Seriously, I want to give Dropbox props for enforcing this control. I’ve used mobile and web apps that allow for single-character passwords, which is a blatant disregard for the security of the users and of any data they might store in the app.)

I have a hunch that Dropbox may have started paying a little more attention to enforcing password security after their 2014 security incident. Whatever the reason, I’m glad to see them doing it.

UPDATE 2015-06-08: Luigi Rosa pointed out that the JavaScript is a compiled version of zxcvbn, a Dropbox project on GitHub meant to serve as a “realistic password strength estimator.” Not only has Dropbox implemented a script to enforce strong passwords for their users, but THEY’VE PUBLISHED THE CODE ON GITHUB SO OTHER MOBILE DEVELOPERS CAN USE IT. (Thanks, Luigi, for the info!)


The bit about this little HTML file that fascinates me is that ONE LINE of their script contains 85,100 words that their mobile app users are forbidden from selecting as a password, even if these words meet Dropbox’s password complexity requirements.

Of all the word lists in all the apps in all the app stores in all the word, this list appears in theirs.

If you work in the infosec industry, especially if you’re a pen tester, you might want to consider adding this word list to your toolkit. If it’s good enough for Dropbox’s 300+ million users, it ought to be good enough for you, too.

(I know it goes without saying, but I’m going to say it anyway. This word list contains a handful… well, more than a handful of NSFW passwords. Don’t be stupid and end up in an HR disciplinary meeting because you decided to send this word list to all your users as part of your security awareness training program.)


6 thoughts on “The 85,100 Passwords Forbidden by @Dropbox”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s