Last September I wrote about a program called Dropbox that makes it trivially simple to synchronize files between PCs, Macs, Linux machines, iPads, iPhones, Android phones, and BlackBerrys. When you install Dropbox, you create a folder on your machine that's automatically synchronized with Dropbox folders on the other machines and with the Dropbox application on the Internet.
It's slick. I use it every day. But there's an annoying detail that's suddenly been thrust into the public eye.
Security researcher Derek Newton blogged about the problem over the weekend. To understand the nature of the issue, it helps to see how Dropbox sets up a shared folder.
Say you install Dropbox on a new PC. You pick the shared folder and give it a password. Any files dragged into the folder appear both in the folder and in the Dropbox website. Just log on to the site and provide the same email address and password that you used when you created the original folder. Dropbox encrypts the files on its website, but the files inside the synced folder are just plain files.
Now you install Dropbox on a second PC -- same process. During the installation you create a shared folder on the second PC, provide your email address and password, and it's ready to go.
Each time you fire up either PC, the shared folder is just there. You don't have to log on to anything. Dropbox looks to see if any of the files have changed on the website and, if so, synchronizes the files in the designated folder -- very easy.
You can change the password if you like. When you're logged on to the Dropbox site, click the Account link on top, then the Account Settings tab. That's where things get a bit strange.
If you change your Dropbox password, you can still get into all of the existing PC's Dropbox folders -- and you don't have to supply the new password. The new password is only required if you set up Dropbox on a new PC (or Mac or iPad or whatever).
