March 04, 2013

Evernote discloses password breach, while critics bemoan its use of crackable crypto

Evernote discloses password breach, while critics bemoan its use of crackable crypto
Evernote discloses password breach, while critics bemoan its use of crackable crypto

Popular notetaking software service Evernote has reset the passwords for all of its users following a network breach.

The company advised its 50 million users on Saturday that it "detected and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas" of its service. It didn't find any indication that content or payment information was compromised, but the intruders did access usernames, email addresses and encrypted passwords of users.

As a result, it reset users' passwords and forced them to create new ones. Evernote also offers its service via apps for devices running operating systems such as Windows Mobile, iOS and Android.

"While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure," CTO Dave Engberg wrote. "This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords."

The breach is reminiscent of a string of incidents last spring when the credentials belonging to LinkedIn, Yahoo, eHarmony, Formspring and Billabong members were accessed by hackers. In many of these cases, the passwords are encrypted, but they are easily cracked using commonly available tools requiring minimal time and investment.

Evernote reportedly uses MD-5, a cryptographic hash function that has been known for years to be vulnerable.

Troy Hunt, a software architect and Microsoft MVP, suggested in a blog post he wrote over the weekend that websites such as Evernote should be required to disclose to their users what types of mechanisms they use to protect passwords.

"I propose that websites should be required to disclose their password storage mechanism," Hunt wrote. "The disclosure would sit right next to the point where the password is provided for persistent storage, namely on the registration and password change pages."

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.