Open Shared Link Controls: Default Password Requirements for Open Shared Links
REQUEST: Admin would like the ability to set a global control whereby all public/open ('people with the link') links must have a password.
Our current controls on shared links impact all 3 Shared Link permissions causing additional impact on the user experience.
Instead of “require password” security control, we intend to support “Require OTP” requirement for public links (via SMS, Email, or TOTP). I wanted to share where we are headed. We do not plan on delivering this ask as is, but we do intend to solve the security use case behind it.
Please comment if you disagree.
-
G George commented
I tend to disagree and actually given you have provided the user with a password option the admins should be able to enforce the use of that password by default, OTP would then provide an additional level.
-
Kengo Masuda-Marubeni IT Sol commented
I agree with the idea of controlling with email based one-time passwords.
Various cloud services are enabling this functionality around 2020. E.g. OneDrive, Hennge, etc.If this becomes a reality, it should be possible to display email addresses instead of IP addresses as the source of access via open links in Content Insights, and to whitelist restrict email domains for OTP destinations on the administrator side.
Many companies are eagerly awaiting this idea. -
Anonymous commented
Mandatory passwords for share links is an essential security layer without which we cannot enable share links on our EID. Password auto-generation would ensure that the appropriate password was generated.
-
Mark K (Box Admin) commented
This is a security no brainer. Add the check box to require passwords on shared linkes.
-
Anonymous commented
This is an important security consideration and it looks like this has been sitting idle for a while, with the last updates from Box coming back in 2019. I'm surprised it's been sitting open for this long. Any update?
-
Anonymous commented
As others have noted below, this causes significant security problems by not being able to require a password for all public links. We often don't know the details of who the data is being sent to our downloaded by. I am constantly running reports and locking down folders that are shared publicly. This is a glaring security issue that should be addressed ASAP.
-
Anonymous commented
Agree. We would like to ask Box to create the feature that Admin would like the ability to set a global control whereby all public/open ('people with the link') links must have a password.
-
Anonymous commented
+100 on this. I have to create reports of unprotected links all the time , and then either disable it or inform their creators, it is so annoying and so unsecure in the first place.
Come on guys, one checkbox in the enterprise admin area and one database query during public link creation with either forcing it or not - that is two hours of work, while you are still planning OTP for the next 5 or how many years? Seriously?
OTP is not a solution for this anyway, we don't know many details about the recipient(s), that's why we use public link. If we would, we would invite the recipient(s) as a collaborator
-
Anonymous commented
We need to be able to regulate how users share access to files that may contain proprietary or HIPPA protected information. If employees are not required to set a password on external links there is a high probability that they will not take the necessary steps to secure this information.
-
Anonymous commented
I think this is one of the must functions for many risk-conscious Japanese companies. We as a system admin staff always confront this problem raised from internal employee in governance division or external clients or suppliers. We have made operational rule to create passwords for shared links but it's hard to control some people who don't follow since they are accustomed to do so as they send emails.
The same is true for the "file request" function. Since external people don't want to upload files without passwords, they put password on files or zip them with passwords, which makes the operation difficult...
Please develop the password requirement functions for shared links and file requests. -
AdminHiroya Tsunoi (Admin, Box) commented
It seems that Dropbox business supports password restriction for shared link.
Cloud you check its evidence as below. -
Anonymous commented
Any updates on this? Requiring passwords on all public links is a no brainer from a security perspective. I need to control this from the admin-level. As others have commented, this is standard on several other file sharing platforms and am surprised Box does not provide such functionality with all the compliance requirements Box markets it is compliant with.
-
AdminS.K. (Admin, Box) commented
TOTP can't be a solution as users of most enterprises still don't have a mobile device for business or aren't allowed to use BYOD.
-
Anonymous commented
I strongly support this feature request. It is common sense to want to set different policies for files shared internally and externally. Its all very well that users can set these themselves but in the middle of a busy day it is easy for them to forget and just make the file available without really thinking of the longer term consequences. We should be taking steps to protect users from these kind of mistakes.
-
Anonymous commented
This should be a default feature within box.. Most of your competitors currently provide this feature by default and will be the cause for migrations in the future.
-
Anonymous commented
When you are creating a shared link you must put a password. This is the way to have more control and security.
-
AdminH.K (Admin, Box) commented
In certain regions (i.e. Japan), most enterprises are required to password protect any email attachments by default. Box's open shared links are a great replacement for the email attachments (and more secure with ability to disable at any time), but would require enterprise settings to enforce users to password protect the shared links by default.
-
Anonymous commented
This is a must have. We need a central way of controlling this by enforcing a policy that all shared links require a password. It is too easy to make a mistake and share a link without one.
-
Anonymous commented
Require OTP sounds like a great feature, but why can't it coexist with requiring a password to be set for all public links? Aren't use cases for these features different anyways? If one was to search "password shared link" here, it can be seen that it's still a requested feature. So I'm joining the other commentators here asking for a require password option.
-
AdminS.K. (Admin, Box) commented
My customer is using the other large file transfer service (See below link) just for sending/receiving a file to/from external stakeholders. They would like to replace it with Box as both services largely duplicates in features. However, only "by default password" is something that box can't do now and therefore, it is not secure enough to allow the public link. Please consider to prioritize this.
https://support.hdeone.com/hc/en-us/articles/115005364668-What-is-HENNGE-Secure-Transfer-