Hey everyone ππ» I'm Shreya, a Computer Science student with cyber security as a specialization, exploring the various areas in Information Security. Today's blog covers password policy analysis with Dropbox as a case study.
Password Policy Analysis β Dropbox
Password policy (Observed + Documented behavior):
At least 8 characters
Encourages letters, numbers, symbols (UI driven strength feedback)
Pattern / common password detection (not just character rules)
Though it doesn't meet the 12 character requirement like many newer orgs these days, 8 characters is pretty much the minimum baseline still accepted across many platforms. Modern security guidance is slowly pushing toward 12β16+ characters as safer defaults.
Industry reality:
- 8 = legacy baseline
- 10β12 = modern baseline
- 14β16 = strong modern
Also to note, there's no strict Upper/Lower case enforcement rule publicly documented, which can look like a drawback from a traditional complexity-rule viewpoint, but modern systems often prefer entropy + pattern detection instead of forcing predictable complexity substitutions.
Dropbox actually uses password strength detection that compares passwords against common words, names, patterns and numbers to prevent easy-to-guess passwords.
For more info: https://help.dropbox.com/security/password-control
Dropbox also recommends longer passwords, unique passwords per service, and enabling 2FA or passkeys for stronger protection. Here: https://help.dropbox.com/security/secure-password
Passwords to Test
- password_123
- bluey#1996
- bg@1996_dropbox
Detailed Explanation For Why Each Password Will Eventually Be Cracked
1. password_123
Very common password variant of this being "password123" has been in pretty much every password leak databases for years now, so this variant will also be cracked easily.
Attack reality: This would likely be cracked instantly using credential stuffing or breach database matching, not brute force.
2. bluey#1996
Identical to email/first name plus 1996 could highly mean their birth year. A little digging about the person's identity and boom you have it all with all possible variants with name/birthdate etc.
Attack reality: This is classic OSINT-derivable password construction.
3. bg@1996_dropbox
Abbreviation of name + year + website they're signing up for along with 2 special characters. Slightly better than last 2 but still very predictable as it's a combo of name/DOB/website. Still not secure enough.
Attack reality: Attackers specifically test service-name + year + initials combos.
Crack Time Testing
Went a step ahead and checked how long it'll take hackers with modern tools to crack the above three. Results are hilarious, first 2 being under 1 sec and the 3rd taking ~8 hrs.
Important context: These tools estimate brute-force cracking assuming no prior knowledge, no breach database, and no OSINT. Real attackers usually try leaks and patterns first.
You can try it on: https://www.mypasswordchecker.com/
4th Password β Password Manager Style
I'd like to take a 4th password for the analysis, something that Google password manager would suggest:
XFu2&3fM^Tm&&2#
Looks like sci-fi but let's see:
It does say very strong but modern GPUs can theoretically crack it in <12 days (pure brute force estimate assuming high compute resources).
Real-world note: Without breach exposure or reuse, attackers are unlikely to brute force something like this unless extremely high value target or offline hash cracking scenario.
Conclusion
Looks like we need to step up the password game.
Real modern direction is:
- Longer passwords / passphrases
- Unique per service
- Password manager usage
- MFA / Passkeys
Extra Real-World Security Context:
Modern password strength systems don't just check symbols they check:
- Common password lists
- Human language patterns
- Keyboard patterns
- Known leaks
Research shows machine learning models can now learn real human password behavior from leak datasets and improve password guessing success significantly.
Also, password strength meters themselves can leak pattern info or be gamed if poorly designed.
Cool Research Papers to explore
Human Password Modeling Research https://arxiv.org/abs/2407.14145
Password Strength Meter Risks Research https://arxiv.org/abs/2505.08292
Password Entropy Theory https://arxiv.org/abs/2404.16853
NOTE:
Most accounts are NOT hacked via brute force. Most are compromised via:
- Password reuse
- Phishing
- Malware / infostealers
- Credential stuffing
Passwords are slowly becoming just one layer of authentication.
Hope you liked the write-up :) follow up in X/twitter