March 6, 2013

Evernote, e-mail, passwords and online security

A couple of days ago Evernote said hackers had gotten access to, among other things, e-mails and hashed and salted passwords (aka not in clear text). As a response, Evernote reset all passwords on its service.

That is a reasonable response, but to be fully effective it requires that an Evernote user didn't use the same password for her e-mail account as it is possible to break hashed and salted passwords with a brute force attack. And with access to a user's e-mail, a hacker can start getting access to other services by resetting passwords.

Yes, it's a core security rule not to use the same password across services, but obviously lots of people do that. Therefore, if you know you violated that rule and shared the same password for your e-mail and Evernote, change your e-mail password right away.

While your at it, consider start using 1Password or a similar program that makes it easy to manage long and unique passwords and use 2-Step Verification if you're using Gmail. It's a pragmatic way to beef up your protection against being hacked.

No comments: