Proactive — thats what security should be — but it almost never is. And there is no exception with note-taking site Evernote following the security breach the site experienced over the weekend.
If you have been reading the news, even if you are not a security buff, then you’ll likely already know that Evernote had to reset all 50 million odd user passwords following an attack that left the perpetrator with a huge amount of email addresses, usernames and hashed and salted passwords.
The fact that the passwords were hashed and salted sounds promising as that should make them reasonably secure shouldn’t it?
“Security experts are criticizing online note-syncing service Evernote, saying the service needlessly put sensitive user data at risk because it employed substandard cryptographic protections when storing passwords on servers and Android handsets.”
Oh, maybe not then.
So if the passwords aren’t quite so secure what else could the site have done to protect its users? Perhaps they used two factor authentication? Hmmm… I wonder… ?
“We were already planning to roll out optional two-factor authentication to all of our users later this year. We are accelerating those plans now.”
Ronda Scott via Information Week
Well, thats a step in the right direction then I suppose.
For now, however, the only thing between an attacker and your Evernote account is a username and password, both of which….
….Tell me again, what exactly are you storing there?