After The Horse Bolted Evernote Get Set To Close The Stable Door With Two Factor Authentication

Proactive — thats what security should be — but it almost never is. And there is no exception with note-taking site Evernote following the security breach the site experienced over the weekend.


If you have been reading the news, even if you are not a security buff, then you’ll likely already know that Evernote had to reset all 50 million odd user passwords following an attack that left the¬†perpetrator¬†with a huge amount of email addresses, usernames and hashed and salted passwords.

The fact that the passwords were hashed and salted sounds promising as that should make them reasonably secure shouldn’t it?

“Security experts are criticizing online note-syncing service Evernote, saying the service needlessly put sensitive user data at risk because it employed substandard cryptographic protections when storing passwords on servers and Android handsets.”
Ars Technica

Oh, maybe not then.

So if the passwords aren’t quite so secure what else could the site have done to protect its users? Perhaps they used two factor authentication? Hmmm… I wonder… ?

“We were already planning to roll out optional two-factor authentication to all of our users later this year. We are accelerating those plans now.”
Ronda Scott via Information Week

Well, thats a step in the right direction then I suppose.

For now, however, the only thing between an attacker and your Evernote account is a username and password, both of which….

….Tell me again, what exactly are you storing there?

photo: goingslo

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind