Home > Security > What Evernote did correctly.

What Evernote did correctly.

Yesterday I wrote about a little about Evernote being hacked and how it was bad that I could not remove their software from my device.  Today I’d like to commend them for storing my password correctly in the first place.  All too often companies store passwords in plaintext which make it trivial for hackers to use if (and when) they are stolen.  The email I received from Evernote stated:

...were able to gain access to Evernote user information, which includes
usernames, email addresses associated with Evernote accounts and encrypted
passwords. Even though this information was accessed, the passwords stored
by Evernote are protected by one-way encryption. (In technical terms, they
are hashed and salted.)

Perfect!  Hashed passwords are almost impossible to reverse (unless the  hashing algorithm is weak (see my earlier post on the use of SHA-1) and the original password isn’t in a rainbow table making it somewhat easier to figure out what the hash says).  LinkedIn’s attack last year brought to light the dangers of using weak hashing algorithms (as well as social engineering).

In today’s world passwords should be stored using a SHA-2 (or SHA-3 if you can find it) algorithm with a sufficiently large key (like SHA-512).  The larger the key the longer you can expect the passwords to be protected.

When attackers are looking to find the weakest link in the chain in order to gain access to data passwords stored on a system should be the easiest to protect.  Unfortunately not everyone has gotten the message.  Have you verified your hashes today?

  1. 2013-03-05 at 12:02 EST

    Sadly they may not be all that secure. From comments of the engineers, the salt may not be unique but a stored “secret” salt which is used with each password. This is common in some webapps where you still want speed for apps to get in.. so the bad guys end up guessing what the secret is first (which they do by looking for a large number of password hashes that are the same and guessing he password for those is either 12345678 or password. Then guess the secret that was used to get it.. after that plug that secret in and brute force the others.)

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s