Evernote hack shows that passwords aren't good enough

The Evernote hack is just the latest breach illustrating the need for two-factor authentication. Evernote is smart to take action.

Evernote revealed over the weekend that it was the victim of a data breach, emailing users and posting a notice on its Web site that attackers had gained access to usernames, email addresses, and encrypted passwords associated with Evernote accounts. As a precaution, Evernote forced all 50 million users to reset their passwords. That's a good step, but it's not really not good enough--so Evernote is accelerating its plan to roll out two-factor authentication.

Evernote wasn't originally designed as a business service, at least until the December release of Evernote for Business. Evernote is primarily a note-taking and organizational tool similar to Microsoft's OneNote. Evernote provides a range of services--including Evernote Food, Evernote Peek, Skitch, Penultimate and more--as Web-based tools or apps across a range of operating systems and mobile platforms. Its capability to access and sync data across a broad range of devices makes it appealing as a business tool.

By its nature, Evernote is a prime example of a service where you stash both personal and professional data. Like any cloud-based service, it comes with some inherent risk. Any time you place business data in the cloud--particularly sensitive information such as customer names or addresses, banking or financial details, or proprietary company research--you are trusting the vendor to protect it. The big caveat, though, is that you are still ultimately responsible for what happens to your data.

One password to rule them all?

Evernote claims that the password data captured by the attackers was encrypted, but it still made all users select new passwords, just in case. As respected security authority Brian Krebs notes in his blog post on the Evernote breach, the standard hashing and salting algorithms used by vendors to encrypt password data offers trivial protection that can be cracked with relative ease.

One solution would be to use stronger passwords or passphrases, and to ensure that you don't use the same password for more than one service. When you do, a data breach at one vendor can expose your password, which could then allow the attacker to access all of your accounts instead of limiting the damage to the one that was breached.

Of course, remembering tens or hundreds of passwords is a bit of a Herculean task--especially if you're using strong, complex passwords. My PCWorld peer John Mello suggests a few options for simplifying password management, such as OneID, KeePass, and RoboForm.

The real lesson of the Evernote hack, though, is that passwords don't offer very good protection for your data. Unique passwords that are complex offer better protection than using your dog's name or no password at all, but ultimately all passwords can be cracked or guessed, given enough time and effort.

Moving to multi-factor authentication

With that in mind, Evernote is joining Facebook, Dropbox, Microsoft SkyDrive, PayPal, Gmail, and a growing list of online service providers by adopting two-factor authentication.

Multi-factor authentication provides an extra layer of protection to safeguard your data. Phone-based authentication, for instance, can dramatically boost security. You've probably encountered a prompt for phone-based authentication when you try to log on to a bank's website from a device you don't normally use.

With phone-based authentication, a random or one-time code is sent to a mobile phone, and must be entered in addition to the standard username and password. Some solutions use a mobile app to generate a one-time PIN. Either way, in order for an attacker to access the account they'd have to both crack your password and be in possession of your mobile phone.

There are many other options aside from phone-based authentication, such as access tokens, smartcards and email verification. The exact method varies widely. No matter the implementation, two-factor authentication provides an extra layer of protection, and Evernote should be commended for offering it.

Join the CSO newsletter!

Error: Please check your email address.

Tags dataEvernoteMicrosoftsecuritypasswordsproductivitybusiness security

More about DropboxEvernoteFacebookMicrosoftPayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts