[ale] evernote security breach
Ron Frazier (ALE)
atllinuxenthinfo at techstarship.com
Mon Mar 4 12:38:51 EST 2013
"Michael H. Warfield" <mhw at WittsEnd.com> wrote:
>On Mon, 2013-03-04 at 09:35 -0500, Ron Frazier (ALE) wrote:
>> Hi all,
>
>> I first saw the link to this article on the dc404 mailing list. If
>you're an evernote user, you need to know about this.
>
>> http://www.theverge.com/2013/3/2/4056704/evernote-password-reset
>
>If you are an Evernote user, you need to change your password. The
>attackers had access to user-id's and password hashes. The passwords
>where hashed and salted but simple passwords are still subject to
>off-line brute force and rainbow table attacks. Change your password
>to
>a good, high complexity, password or passphrase.
>
Do you think a 15 character random alphanumeric generated by Lastpass is good enough? Or, should you go longer if the site will let you?
>MOST IMPORTANT! This is NOT mentioned in the article quoted, but...
>If
>you used the same user id (E-Mail address) or similar and the same
>password on other sites, change all of them and use different passwords
>on each. It is not uncommon for someone to use the same password and
>id
>on different sites. It is equally not uncommon for attackers to KNOW
>THIS and, once they break your password on one site, to use a common,
>broken, password to attack other sites. That includes sites with other
>common variations on your user id.
>
I've known this for some time, but only recently went to the trouble to do it, after Linkedin had their break in. I'm now using Lastpass, which is a good way to keep track of many different passwords for different sites. (I know there are other solutions too.) It was a major pain to go to every site I had and go through the password change procedure, especially because, for the ones that were already different, I had to look them up. However, every one is now different and random. Every time I generate a new password for a new site, or change one on an old site, I let Lastpass handle it. The password vault is secured by a master password that you don't give out online. If anyone is interested, I can post my recommended settings for Lastpass preferences. You can use the service for free on PC's, but have to pay a modest fee for Premium service to use on mobile devices. I pay the fee, and am glad to support their continued development.
>> Sincerely,
>
>> Ron
>
>Regards,
>Mike
>
>
>--
>Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
>/\/\|=mhw=|\/\/ | (678) 463-0932 |
>http://www.wittsend.com/mhw/
>NIC whois: MHW9 | An optimist believes we live in the best of
>all
>PGP Key: 0x674627FF | possible worlds. A pessimist is sure of
>it!
>
>
>
--
Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity if I'm typing on the touch screen.
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new email messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT techstarship.com
More information about the Ale
mailing list