MobileMe and Dropbox, a study in opposites

I have been using 1Password to move from "less secure" to "more secure" passwords. Like many people, I got into the bad habit of reusing a (relatively weak) password - let's call it "pa$$word" - on many different sites. I recently made a "New Smart Folder" in 1Password tasked with finding any site where my password is "pa$$word," and have been browsing the results.

That's when realized I was using the same password for both MobileMe and Dropbox. I was surprised how easy it was to change one of them, and what a complete pain it was to change the other.

To change my Dropbox password, I logged in , clicked a link labeled "Account" and then another labeled "Account Settings." Even a web novice could manage that. Next, I entered my old password, control clicked the "New Password" field, chose the 1Password submenu, and selected "Strong Password Generator," which produced nice random string of letters, numbers, and symbols. I then clicked "Change Settings" and that was it.

I expected that I would have to update all of my Dropbox clients (iMac, MacBook Pro, and iPhone) and change the password on each of them. I didn't. Dropbox automatically told all of the clients, "Hey, the password changed, and since you're an authorized client, here's the new information." Even the iPhone client automatically updated. It was smooth as could be. In fact you could say it "just worked."

MobileMe, on the other hand, "just didn't" -- at least not easily.

I logged into which took me to my email. If you haven't used the web interface before, it would be easy to get lost at this point. There are 7 icons at the top left of the page. The last one kind of looks like a gear, and that's where your MobileMe settings are found. When I clicked on it, I had to login again (despite having logged in less than a minute earlier). After this second login I was shown a clearer menu of choices, including "Password Settings" which is where I went. I entered my old password, and then tried to do the same thing I did with to generate a new password. It failed. The "Enter New Password" field remained blank. I tried it again. Still blank. I opened the, found the entry, manually generated a new, secure password, and attempted to manually paste it into the website. It wouldn't work.

I can only assume that some web developer at Apple believes that preventing people from pasting into the password field is "more secure" (debate that as you will). There are two problems with this argument. First, it completely breaks one of the basic user interface elements of every operating system since copy/paste was invented. There is absolutely no explanation from the UI as to what has happened. There's no error bell to tell me that I tried to do something wrong. I just pressed "Paste" or + V, and nothing happened.

Second, and more importantly, the most likely outcome of preventing me from pasting into the field is that I will use an easier, less secure, password. It took me several attempts to get the extremely strong password right twice, something that 1Password will get right every time. (1Password "pro tip": click the "Advanced Options" in the "Strong Password Generator" window and choose "Pronounceable" to get a strong but easier-to-type alternative.) The iDisk application on the iPhone and the MobileMe preference panel on the Mac will both accept "paste" commands as expected.

Unfortunately, it went downhill from there. A few minutes after I changed my MobileMe password, a warning popped up on my iMac telling me that my MobileMe credentials had changed. I opened the MobileMe preference panel and had to sign out. When I entered my new password, my sync history was deleted. My contact/calendar/etc information was still there, but it was as if I had never sync'd with MobileMe before, meaning that I had to go back into the "Sync" tab and re-check all of the options. Anyone who has used MobileMe sync knows what that means: I'm going to be seeing "Conflict Resolver" for the rest of the day, on each of the computers I sync to MobileMe. My local iDisk cache was moved to a "Previous local iDisks" folder on my Desktop, meaning that I have to re-sync all of that information as well. Given that I could have up to 20GB of information on my iDisk, that could be a fairly lengthy process.

In sum, it could not be any more painful or inconvenient to change your MobileMe password, and it couldn't be any easier to change your Dropbox password.

"BUT!! BUT!! BUT!!!!" I hear someone say "What if you lost your iPhone or your laptop?!?! Someone could get your Dropbox information even if you changed it!!!" It is true that changing your Dropbox password is not sufficient to protect your account if you lose a computer or iPhone linked to your Dropbox account. If that happens to you, the first thing you should do is go to your Dropbox account on the website, click on the "Account" link, then click on "My Computers" and unlink it from there. (Then I would suggest that you change your Dropbox password anyway.)

You can unlink computers from your MobileMe account as well, but you must do it through another Mac linked to your MobileMe account. If you only have one Mac and it is lost or stolen, I hope you have a friend who has a Mac who can let you use their computer to unlink your MobileMe account from your lost Mac. You can do this by going to the MobileMe Preference panel, click on the Sync tab, then click the "Advanced" button, select the computer from the list, choose "Stop syncing computer" and finally confirm your choice.

The Dropbox iPhone application has an option to require a passcode every time you launch Dropbox. The iDisk iPhone application has no such option. (I'm assuming that you know the iPhone has a similar system-wide function at Settings » General » Passcode Lock. If you aren't using it, you should be.)

Dropbox is also considering a "remote wipe" function which would allow you to remotely delete any files from a lost/stolen computer. If you are a Dropbox user, you can vote in favor of that feature here.

There is no way to remove locally stored information from an iDisk from a lost/stolen Mac. Changing your password won't do it, as MobileMe will simply put a "Previous local iDisks" folder on the Desktop of that computer. I suppose you could turn iDisk Sync off all together, but iDisk is painfully slow even with local sync on, and of course then you couldn't use your iDisk files offline either.