02
Mar
unnamed

The problem with relying on cloud services is that they are prime targets for hackers. Earlier today, popular note-storing service Evernote acknowledged that it had detected "suspicious activity" on the network. In its blog post, Evernote specified that the intruder(s) had only gained access to account details, including usernames, email addresses, and encrypted passwords. The announcement further clarified that passwords are protected with one-way encryption, a process where a password is first salted and then hashed to make decryption extraordinarily difficult. The company also states that no content (stored notes and pictures) or payment information had been compromised. Aside from email addresses, the wrong-doers failed to get anything particularly valuable.

Evernote is taking additional precautions by initiating a reset of all user passwords and releasing an app update to streamline this process. After the new version is installed and attempts to sync, it will post a notification about an authentication error. Simply open the application and follow the prompts. Once the password has been changed, each app will have to be re-authenticated to resume syncing.

warningresetreauth

Source: Evernote

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • Sorian

    Nice to see they are proactive.

    • leenephi

      Yup! Especially considering I use it a lot :P

  • http://www.facebook.com/larsgbnielsen Lars Gyrup Brink Nielsen

    Salt plus hash is not necessarily particularily secure. Just saying.

    • http://codytoombs.wordpress.com/ Cody Toombs

      In the realm of securing passwords, there aren't very many things that can be done to go further. A couple of steps can add to the challenge of cracking, like custom mangling a salted password before or after hashing. We don't really know if Evernote used any other tricks, and I wouldn't blame them for being vague. Assuming the hash can't be reverse engineered (some have been), and assuming it is computationally expensive, then the weak point is the quality of a password. Naturally, if users chooses weak passwords (eg. 'password' or 'god'), that is their fault. Ultimately, a good salt+hash and a legitimately complex password are extremely hard to crack.

      For situations like this, the only thing better than one-way hashing is to never have the password at all. That usually means requiring users to sign in with a Google account (or some other provider).

      • didibus

        Probably brute force / dictionary attack was used to decrypt the hash obtained from the database. I don't see the benefit of not having the password at all, using another service still makes you vulnerable to that other service's weaknesses. It also means that when your main service account is hacked, all of your services are potentially compromised. Two-Step authentication is the way to go if you want to be really safe. Anyways, the issue here is that they need to make their servers more secure, to prevent future leaks from the database.

        • http://codytoombs.wordpress.com/ Cody Toombs

          I think you really missed the point, actually, a few points. To begin with, you are talking about it as if somebody has already deciphered the passwords. That's not what happened, not even remotely. At most, somebody gained access to hashed passwords a few days ago. It's unclear if anything was actually copied, or how much was copied (with more than 10 million accounts, it's possible that the transfer could have been interrupted before completion).

          The other thing that stands out is this assumption that brute forcing hashed passwords is easy or cheap. As I mentioned before, some users are dumb enough to use common words that can be found with dictionary attacks. But, a lot of people have been broken of that habit. In reality, using any SHA-2 hash algorithm and a random salt (to prevent rainbow tables) is going to make brute force attacks mostly worthless. Each password in that database is going to take somewhere between a few hours (if a password is found from a dictionary attack) and several years...for one password! Plus, that one password might not even be used anywhere else by that user. I genuinely hope that the Evernote intruder is trying to brute force those database passwords. That nimrod (or nimrods) will die of old age before there is a single password that can be exploited for any meaningful gain.

          I won't even deal with the single sign-on subject. I was making a point on the security of data once a site is compromised.

          • didibus

            Ah, right, I had read it wrong. I thought it had been known already that some of the passwords had been decrypted. In which case I assumed, considering I doubt Evernote uses an ecnryption algorithm with a known reverse algorithm, that it must have been from a dictionary attack (most likely), or a brute force.

            I'd like to say that brute forcing using a good dictionary is easier and faster then you might believe, even more so when you already know the username is valid. If he knows the hashing that is used, he can even brute force locally using the usernames and digest he got from the database. Moreover, since he has the list of usernames, he can reverse brute force, which makes it a lot easier and a lot faster to crack any one username, but not a particular one.

  • http://www.facebook.com/rmkattan Rami Kattan

    I still don't understand what Evernote can be used for. I made an account long ago, and never used it. For links and articles, I used Pocket, for notes and todo lists I use WonderList.

    This password leak made me finally deactivate my account.

    • Owen Finn

      I take pictures of receipts for work and file them as paid or unpaid. I take pictures of menu items and file it under "Figure out recipe". I take notes in meetings and file/tag them under subjects covered in the meetings. I email/text myself business information when someone gives me good word-of-mouth info. I clip webpages when in a hurry to read later. I use the speech-to-text function for VERY quick memos. I take pictures of book covers when in a bookstore for titles I want to read later, or find in the library.

      That's only about a third of what I use it for. I wasn't sure what I'd use it for at first, but it's seriously a great app when you start opening up your options and ideas.

      The fact that you are using two apps to do something Evernote could do alone should tell you something.

  • http://www.facebook.com/claudericke Chamunorwa Mararike

    Not sure how my e-mail address is not particularly valuable information...

  • Matthew Fry

    My brother in law was complaining about having to change his password for no reason. I'll have to let him know. This is a good reason.

Quantcast