Evernote’s password hack, and the security of your stuff in the cloud
Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.
As a precaution to protect your data, we have decided to implement a password reset.
I am a heavy Evernote user, and put a lot of stuff up there - from basic research to business records. I love that I can easily find my key information so easily. They have solid apps for OSX and iOS (although they have been increasinly buggy lately), and a good browser based system to get at my information from anywhere. I love having my stuff in the cloud so I can get at it whereever I am.
For the past couple of weeks I was teaching a PADI Instructor Development Course in Fiji and on several occasions I was able to quickly get to records that I needed but didn’t have with me through my iPad or MacBook Air. Too easy.
Lately I’ve been wondering about the wisdom of having all my eggs in one basket. I trust the Evernote team, and as a Premium User I have a paid account. But my concerns are two-fold:
- If Evernote ever goes away (unlikely, but still a risk), what will happen to my data.
- Evernote has to be ever-vigilant for hacking attempts, and they have to win 100% - hackers only have to win once in a blue moon.
- As Evernote’s servers are not in Australia, my data may be legally accessed by a foreign government without warrant!
So it was good to see the following paragraph:
In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.
The next paragraph, while honest and direct, certainly gave me pause to continue to consider the future of my information storage:
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
Just yesterday (before the email went out), I downloaded a copy of DEVONthink, an OSX app that does many of the same things - allowing you to store snippets and documents, easily find them, OCR them, etc. Using DropBox you can sync data between multiple Macs, and there is an iOS app. The latter feels a bit clunky, and looks like you need to sync via Wifi. I hope Dropbox sync is coming soon to that, because my iPad is rapidly becoming my main on-the-go device.
There has been a lot of debate about Evernote vs. DEVONthink, and there are very passionate people on both sides, with some very persuasive reasons for their approach. Evernote’s cloud based storage is both it’s greatest feature and it’s biggest drawback, depending on your perspective. I had planned to use DEVONthink side-by-side with Evernote for a couple of weeks to get a feel for which (if either) is the better approach for me. I still will, but I think I’ll move more sensitive info straight away.
Back to the security issues. I have waiting for a while for Evernote to introduce 2-factor authentication. Google has had this for some time, and Dropbox also introduced 2-factor security in 2012, following similar hacking attempts.
Evernote needs to implement 2-factor security as a matter of urgency.
While I am at it, Apple also needs to implement 2-factor security for their iCloud services as a matter of urgency, particularly if they want Documents in the Cloud to be taken seriously.
Going forward, my personal rule is that 2-factor authentication is a threshhold feature for any cloud based service that I use to store any thing I would consider proprietary or sensitive, let along confidential. I recommend you consider the same approach.
Evernote’s team made some additional excellent suggestions for security:
- Avoid using simple passwords based on dictionary words
- Never use the same password on multiple sites or services
- Never click on ‘reset password’ requests in emails - instead go directly to the service
The first 2 should be an absolute given, but it’s clearly not the case. The third one has tricked most people at least once, making the first two even more important.
Most people I know have a password management strategy that consists of three passwords:
- a simple “throwaway” password they reuse on most websites
- a more secure one for some selected sites
- a most secure one for banking, finance, health, etc
In all three cases, most people re-use the same passwords, perhaps with minor variations.
The hackers know this and have setup ways of “sniffing” passwords. One way is to setup a rogue site, and when users try to sign on, they take the username and password and throw that at other sites, knowing that they will often get a hit. Even if they only get 1% success, they have a starting point. Mat Honan of Wired magazine’s own case teaches us that once a hacker gets “in” at a low level, they can use that information to gradually get full access to your life.
So you need to ensure you don’t re-use passwords, and that those passwords must not be simple. When it comes to hacking and security, most hackers are way better at hacking than users are at securing.
This is where my next rule of web security kicks in - I use 1Password to generate a separate password for each and every site I visit. Of course there are a lot of sites I visited before using 1Password, so once those sites are in 1Password, I can from time-to-time go through and manually change those passwords, starting with the passwords that are least secure.
Whilst on 1Password, I’d recommend that if users want cloud access, they store the 1Password file in a Dropbox account, not iCloud, because of the fact that Dropbox has implemented 2-factor security.
I also have a category of sites that require the highest security, so I have those sorted together into a group in the 1Password app, and I change those passwords twice a year when the clocks change with Daylight Savings (an idea I got from MacSparky).
Clearly this issue has made me re-consider aspects of my own approach to information security, and has reinforced others. I recommend that everyone do the same, and take at least the following actions:
- Use only reputable services that provide 2-factor authentication for cloud storage of personal, sensitive or confidential data;
- Have a personal password management policy that includes never re-using passwords, and never using dictionary passwords. Use of an app like 1Password, LastPass or similar may help.
The “be alert, not alarmed” approach is the right one. We users need to recognise that information security is a moving target, and that balancing convenience, ubiquity and security is a constantly changing challenge. We need to reevaluate our balance regularly!
This blog does not support direct comments, but it does support Web Mentions. Reply on Micro.blog or Twitter, and link from your own site and these mentions will be displayed below