<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Password changed but user still has access? in Settings and Preferences</title>
    <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121544#M4296</link>
    <description>&lt;P&gt;Thank you for your help.  That's really poor security though isn't it?  Normally if you give someone access to your account by sharing the password, if you then change it they should not be able to get back into the account?  Come on Dropbox that's a massive security hole?&lt;/P&gt;</description>
    <pubDate>Sat, 18 Apr 2015 01:49:19 GMT</pubDate>
    <dc:creator>Gavin H.4</dc:creator>
    <dc:date>2015-04-18T01:49:19Z</dc:date>
    <item>
      <title>Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121542#M4294</link>
      <description>&lt;P&gt;Hi - I have a dropbox account which I share with a few people. In effect a single dropbox login and a few people know the password. Some of these access it via the dropbox App. I have changed the password on the main dropbox account, thinking this will stop them accessing it, but a number still seem to have access to it? Bit concerned as I though once the password was changed they would lose their access.&lt;/P&gt;</description>
      <pubDate>Fri, 27 Dec 2019 12:04:56 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121542#M4294</guid>
      <dc:creator>Gavin H.4</dc:creator>
      <dc:date>2019-12-27T12:04:56Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121543#M4295</link>
      <description>&lt;BLOCKQUOTE&gt;
&lt;P&gt;Bit concerned as I though once the password was changed they would lose their access.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;

&lt;P&gt;No, you need to actively unlink those peoples Dropboxs from &lt;A href="http://www.dropbox.com/account" rel="nofollow noreferrer"&gt;www.dropbox.com/account&lt;/A&gt; &lt;/P&gt;</description>
      <pubDate>Sat, 18 Apr 2015 00:27:45 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121543#M4295</guid>
      <dc:creator>Mark</dc:creator>
      <dc:date>2015-04-18T00:27:45Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121544#M4296</link>
      <description>&lt;P&gt;Thank you for your help.  That's really poor security though isn't it?  Normally if you give someone access to your account by sharing the password, if you then change it they should not be able to get back into the account?  Come on Dropbox that's a massive security hole?&lt;/P&gt;</description>
      <pubDate>Sat, 18 Apr 2015 01:49:19 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121544#M4296</guid>
      <dc:creator>Gavin H.4</dc:creator>
      <dc:date>2015-04-18T01:49:19Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121545#M4297</link>
      <description>&lt;P&gt;Normally you wouldn't give somebody access to your account though - its basic security. Would you give them access to your email? No. By giving them your password they could do ANYTHING at all to your account and you'd have no come back &lt;EM&gt;at all&lt;/EM&gt; - permanently delete files, remove your access, change the password/emails, anything. And as you've given them your security you have basically made them co-owner and allowed them to do it. &lt;/P&gt;

&lt;P&gt;Especially when there are inbuilt features to enable you to not need to do that (shared folders) &lt;/P&gt;</description>
      <pubDate>Sat, 18 Apr 2015 02:30:36 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121545#M4297</guid>
      <dc:creator>Mark</dc:creator>
      <dc:date>2015-04-18T02:30:36Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121546#M4298</link>
      <description>&lt;P&gt;This is a HUGE security hole.&amp;nbsp; You shouldn't have to manually unlink to force a new password be entered.&lt;/P&gt;
&lt;P&gt;The right thing is that if a user changes a password, than the current credentials on ALL linked systems should be immediately revoked, and a request for an updated password generated.&lt;/P&gt;
&lt;P&gt;While I'm at it, an option to automatically unlink systems idle for a user settable time would be good - I just checked and I had 4 old cell phones and 6 old computers still linked but inactive - I should have an automatic method of cleaning this up.&lt;/P&gt;</description>
      <pubDate>Fri, 26 Aug 2016 22:42:52 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121546#M4298</guid>
      <dc:creator>George H.33</dc:creator>
      <dc:date>2016-08-26T22:42:52Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121547#M4299</link>
      <description>&lt;P&gt;To expand a bit more, the standard action if a security breakin is suspected is to change a password, but on dropbox, as currently configured that's useless - once a "bad guy" is in to your account, i.e. linked, changing a password does no good - you have to take the extra unlink step, which I would wager most users have never heard of.&lt;/P&gt;</description>
      <pubDate>Fri, 26 Aug 2016 22:46:32 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121547#M4299</guid>
      <dc:creator>George H.33</dc:creator>
      <dc:date>2016-08-26T22:46:32Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121548#M4300</link>
      <description>&lt;P&gt;&lt;EM&gt;&lt;STRONG&gt;You shouldn't have to manually unlink to force a new password be entered.&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Why? Its how most credentials work on machines.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;It would do my head in having to re-link everything I had every time I changed my password - especially as I'm the only person who uses the devices.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;&lt;STRONG&gt;I just checked and I had 4 old cell phones and 6 old computers still linked but inactive - I should have an automatic method of cleaning this up.&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;But that leaves the data on your devices. If you unlink via the website then you can ask Dropbox to wipe any data on it. You cannot do that if its unlinked. Nor could you track lost / stolen devices.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;&lt;STRONG&gt;you have to take the extra unlink step, which I would wager most users have never heard of.&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Personally I disagree. Most modern syncing tools/similar set up programs work on secure tokens. Changing a password on 99% of iOS device applications does not cause the linked accounts to re-request it for example.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 26 Aug 2016 22:50:55 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121548#M4300</guid>
      <dc:creator>Mark</dc:creator>
      <dc:date>2016-08-26T22:50:55Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121549#M4301</link>
      <description>&lt;P&gt;Most systems (e.g. windows) at least require a password entry on reboot - dropbox doesn't even do that - the old credentials are still valid across a reboot, at least on windows, and I suspect other platforms as well.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;As far as other platforms not invalidating tokens when passwords change, that doesn't make it right - in fact, the right (i.e. secure) way to do this is to ask on password reset if the current tokens, links, etc. be invalidated.&amp;nbsp; Just because other people jump off a cliff doesn't mean it's a good idea.&amp;nbsp; The basic rule of security is to err on the side of too much authentication, not too little!&lt;/P&gt;</description>
      <pubDate>Fri, 26 Aug 2016 22:57:18 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121549#M4301</guid>
      <dc:creator>George H.33</dc:creator>
      <dc:date>2016-08-26T22:57:18Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121550#M4302</link>
      <description>&lt;P&gt;You are right about my auto unlink suggestion, but that's easily remedied - just add the option on the auto unlink to erase the data, and make it the default.&amp;nbsp; In my case, it's irrelevant - all of these devices are known to be dead or upgraded to new identities.&amp;nbsp;&lt;/P&gt;
&lt;P&gt;As far as tracking lost/stolen devices - I don't see how dropbox can help there anyway.&lt;/P&gt;</description>
      <pubDate>Fri, 26 Aug 2016 23:10:13 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121550#M4302</guid>
      <dc:creator>George H.33</dc:creator>
      <dc:date>2016-08-26T23:10:13Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121551#M4303</link>
      <description>&lt;P&gt;&lt;EM&gt;&lt;STRONG&gt;the old credentials are still valid across a reboot, at least on windows, and I suspect other platforms as well.&amp;nbsp;&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;It is, thats right, because Dropbox doesnt run on passwords - as was said, it runs on tokens.&amp;nbsp;&lt;/P&gt;
&lt;DIV class="comment-body markdown"&gt;
&lt;P&gt;&lt;EM&gt;&lt;STRONG&gt;As far as tracking lost/stolen devices - I don't see how dropbox can help there anyway.&lt;/STRONG&gt;&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;If a device logs in it keeps a record of the IP address. And I&amp;nbsp;&lt;EM&gt;believe&lt;/EM&gt; you can get security software that auto uploads images to Dropbox if people use/steal devices etc.&amp;nbsp;&lt;/P&gt;
&lt;/DIV&gt;</description>
      <pubDate>Fri, 26 Aug 2016 23:14:02 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121551#M4303</guid>
      <dc:creator>Mark</dc:creator>
      <dc:date>2016-08-26T23:14:02Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121552#M4304</link>
      <description>&lt;P&gt;but tokens can be invalidated from the server side, or rejected at boot time.&amp;nbsp; Now you're just telling me because it's inconvenient to be more secure for the architecture, therefore it's secure - a very bad argument.&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 26 Aug 2016 23:23:09 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/121552#M4304</guid>
      <dc:creator>George H.33</dc:creator>
      <dc:date>2016-08-26T23:23:09Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/281168#M4305</link>
      <description>&lt;P&gt;I agree with George - I am in a similar situation.&amp;nbsp; I used my dropbox on a work computer and after leaving the company realized it is probably still sitting there with access.&amp;nbsp; I changed the password thinking that would stop anyone from getting into it and assumed all my other devices would need to be re-signed in with new password.&amp;nbsp; No so, they all work without the new password - there must be a good reason it works like this, but I have no access to that computer to unlink.&amp;nbsp; The only thing I can hope is that the overall computer password is not discoverable. I have changed passwords on all my web based accounts that are sitting in my chrome tool bar.(facebook, gmail, linkedin etc)&lt;/P&gt;</description>
      <pubDate>Wed, 20 Jun 2018 12:55:41 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/281168#M4305</guid>
      <dc:creator>dh32405</dc:creator>
      <dc:date>2018-06-20T12:55:41Z</dc:date>
    </item>
    <item>
      <title>Re: Password changed but user still has access?</title>
      <link>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/281983#M4306</link>
      <description>&lt;BLOCKQUOTE&gt;&lt;HR /&gt;&lt;STRONG&gt;&lt;a href="https://www.dropboxforum.com/t5/user/viewprofilepage/user-id/723651"&gt;@dh32405&lt;/a&gt;&amp;nbsp;wrote:&lt;/STRONG&gt;&lt;BR /&gt;
&lt;P&gt;I have no access to that computer to unlink.&lt;/P&gt;
&lt;HR /&gt;&lt;/BLOCKQUOTE&gt;
&lt;P&gt;As mentioned previously in this thread, you don't need access to the computer to unlink it. You need to unlink the device from your &lt;A href="https://dropbox.com/account/security" target="_blank" rel="noopener"&gt;Account page&lt;/A&gt; on the Dropbox website.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;FONT color="#808080"&gt;&lt;SPAN class=" author-d-1gg9uz65z1iz85zgdz68zmqkz84zo2qovuvz90zz76z3vz80z1yz79zhg5j6xz90z4yz75zz74z4o5z89zz87z7tz122zlm"&gt;&lt;I&gt;[This thread is now closed by moderators due to inactivity. If you're experiencing a similar behavior, feel free to &lt;/I&gt;&lt;/SPAN&gt;&lt;SPAN class="attrlink url author-d-1gg9uz65z1iz85zgdz68zmqkz84zo2qovuvz90zz76z3vz80z1yz79zhg5j6xz90z4yz75zz74z4o5z89zz87z7tz122zlm"&gt;&lt;A class="attrlink" href="https://www.dropboxforum.com/t5/Help-from-the-Community/ct-p/101001000" target="_blank" rel="noreferrer nofollow noopener" data-target-href="https://www.dropboxforum.com/t5/Help-from-the-Community/ct-p/101001000"&gt;&lt;I&gt;start a new discussion&lt;/I&gt;&lt;/A&gt;&lt;/SPAN&gt;&lt;SPAN class=" author-d-1gg9uz65z1iz85zgdz68zmqkz84zo2qovuvz90zz76z3vz80z1yz79zhg5j6xz90z4yz75zz74z4o5z89zz87z7tz122zlm"&gt;&lt;I&gt; in the Dropbox Community.]&lt;/I&gt;&lt;/SPAN&gt;&lt;/FONT&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 27 Dec 2019 12:05:09 GMT</pubDate>
      <guid>https://www.dropboxforum.com/t5/Settings-and-Preferences/Password-changed-but-user-still-has-access/m-p/281983#M4306</guid>
      <dc:creator>Rich</dc:creator>
      <dc:date>2019-12-27T12:05:09Z</dc:date>
    </item>
  </channel>
</rss>

