The latest notorious crack was on Evernote, a research tool that I use on projects. Intruders grabbed usernames, e-mail addresses, and passwords. It followed other recent breaches at Facebook, Twitter, and Apple. It is a cautionary reminder of the exposure one has when using technology, in the cloud or otherwise. The methods we use to secure our systems can be breached. I was impressed by Evernote’s response in a couple of ways:
- They appear to have taken responsibility for it immediately. Customers got an e-mail and Evernote forced a site-wide password reset. This negated the ability for the intruders to immediately reuse the information they had accessed, although they would still need to decrypt the stolen passwords;
- I was glad to learn that the passwords were encrypted, both salted and hashed. This post describes it as “How to Protect Your Users 101“. Sites that don’t use both make their encrypted passwords subject to brute force decryption. But it’s still just 101.
Like other high-profile cloud services, Evernote has announced its moving towards two-step authentication. Google has a good description of how their process works, in case you haven’t used this before. It limits which computers can access your account and requires periodic renewal so that you can’t “set and forget” for the lifetime of your access to a service.
The challenge for lawyers around this sort of attack is that it is very difficult to know whether the site you are using is engaging in the best encryption and security practices possible. It seems as though, as a baseline, the passwords on a site should be both salted and hashed. But this interview on Brian Kreb’s site suggests that salt/hash is a bit of a red herring. The bigger problem may be that companies are taking shortcuts and not using password hashes, out of a lack of developer knowledge around security functions.
An enforced password reset renders those passwords unusable. Unless you are using that password on other sites with the same username and/or e-mail address. The outcome of the Evernote intrusion is positive in the short term, because they seem to have responded well to it. The longer term outlook requires users to monitor where they are (re)using elements of their online identity – usernames, e-mail addresses, etc. – that can be re-used against them should one of their accounts be cracked.