Security and convenience always seem to be at war with each other. Sometimes it's difficult to understand why security folks are so draconian in their rules. It's never for the day to day normal situations that those rules come into play, but for the failures that inevitably happen. The popular storage service Dropbox's recent security problem is an example of how you need to think about possible security failures.

On the surface Dropbox certainly looks pretty secure.  They transmit files securely over SSL, they encrypt your files for storage, and you must login with a username and password to get access. Looks pretty good. Here's where the security can breakdown. The encryption key is stored at Dropbox. It's linked to your account. It becomes available for use when you login.

On June 19, Dropbox updated its site, and accidentally broke their password authentication so that any password worked. If I knew your Dropbox username, or guessed it, I could login to your Dropbox account by typing anything for the password. At that point, I could steal your documents, delete them, or replace them with falsified documents. I could even upload a virus and hope you would download it later and infect your computer.