Evernote Hack Shows That Passwords Aren't Good Enough

The Evernote hack is just the latest breach illustrating the need for two-factor authentication. Evernote is smart to take action.

By Tony Bradley
Tue, March 05, 2013

secure passwords, password security, passwords, security

Evernote revealed over the weekend that it was the victim of a data breach, emailing users and posting a notice on its Web site that attackers had gained access to usernames, email addresses, and encrypted passwords associated with Evernote accounts. As a precaution, Evernote forced all 50 million users to reset their passwords. That's a good step, but it's not really not good enough--so Evernote is accelerating its plan to roll out two-factor authentication.

Drowning in Passwords: Tips and Tools to Stay Safe and Sane

How to Protect Your Online Passwords

Evernote wasn't originally designed as a business service, at least until the December release of Evernote for Business. Evernote is primarily a note-taking and organizational tool similar to Microsoft's OneNote. Evernote provides a range of services--including Evernote Food, Evernote Peek, Skitch, Penultimate and more--as Web-based tools or apps across a range of operating systems and mobile platforms. Its capability to access and sync data across a broad range of devices makes it appealing as a business tool.

By its nature, Evernote is a prime example of a service where you stash both personal and professional data. Like any cloud-based service, it comes with some inherent risk. Any time you place business data in the cloud--particularly sensitive information such as customer names or addresses, banking or financial details, or proprietary company research--you are trusting the vendor to protect it. The big caveat, though, is that you are still ultimately responsible for what happens to your data.

One password to rule them all?

Evernote claims that the password data captured by the attackers was encrypted, but it still made all users select new passwords, just in case. As respected security authority Brian Krebs notes in his blog post on the Evernote breach, the standard hashing and salting algorithms used by vendors to encrypt password data offers trivial protection that can be cracked with relative ease.

One solution would be to use stronger passwords or passphrases, and to ensure that you don't use the same password for more than one service. When you do, a data breach at one vendor can expose your password, which could then allow the attacker to access all of your accounts instead of limiting the damage to the one that was breached.

Of course, remembering tens or hundreds of passwords is a bit of a Herculean task--especially if you're using strong, complex passwords. My PCWorld peer John Mello suggests a few options for simplifying password management, such as OneID, KeePass, and RoboForm.

1 2 next page »

Originally published on www.pcworld.com. Click here to read the original story.

More from CIO

You are here: News » News

Most Recent News Stories

White Papers »

Three Keys to Leveraging SIP for Productivity and Profitability Gains

A SIP-based Unified Communications infrastructure can improve productivity by 23%. Learn where SIP comes from, how it works and why the time has come to move to SIP.

Hiring Big Data Talent

In April 2013, IDG Research Services, on behalf of CareerBuilder, conducted an IT talent survey among IT management at medium- to large-sized organizations.

Your Data under Siege: Protection in the Age of BYODs

Download Kaspersky Lab's new whitepaper, Your Data under Siege: Protection in the Age of BYODs, to learn about:
- How a mobile workforce stretches your secured perimeter
- Why saying "no" is not an effective BYOD policy

Your Data under Siege: Defeating the Enemy of Complexity

Even if you have adequate antivirus protection, are there still holes in your IT security armor? Is lack of bandwidth to manage the growing list of threats, endpoints, and security systems making your organization vulnerable?

Is BYOD exposing you to risks? Top BYOD Issues to Address

Are you an IT executive developing a new BYOD strategy? Or seeking ways to improve your BYOD policies? This new paper provides insights into defining an effective BYOD strategy and optimizing BYOD for new technologies.

Application Security eGuide

In this eGuide, CIO and sister publications CSO and InfoWorld bring you news, opinions, research and advice regarding the risks that enterprises face from lackluster application security, and steps that can be taken to improve IT defenses.

Webcasts »

Seven trends to shape your digital business - Accenture Technology Vision 2013

Technology is now intertwined with nearly every aspect of business. Information technology is not only pervasive; it is fast becoming a primary driver of market differentiation, business growth, and profitability.

3 Reasons Why Sepaton is the World's Fastest Backup Solution

Leading analyst, Storage Switzerland learns how Sepaton backs up and deduplicates massive data volumes while maintaining the industry's fastest performance - all in one system. Learn more!

Enterprise File Sharing: All You Need to Know

Security. Scalability. Control. These are just some of the many benefits of enterprise cloud file-sharing that you'll discover in this KnowledgeVault, packed with short videos, white papers and demos.

Content Analytics: Big Data Conquered, Customer Service Elevated

For organizations looking to start a content analytics program or improve their existing capabilities, Aberdeen Group and IBM will lay out several recommendations on how to become a best-in-class customer service organization.

The Content Analytics Imperative

Register now to listen to this video whitepaper and to learn more about the components of content analytics applications, emerging best practices, and the issues to consider before deploying content analytics technologies.

Seven trends to shape your digital business - Accenture Technology Vision 2013