[ale] evernote security breach

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Mon Mar 4 12:38:51 EST 2013 


"Michael H. Warfield" <mhw at WittsEnd.com> wrote:

>On Mon, 2013-03-04 at 09:35 -0500, Ron Frazier (ALE) wrote:
>> Hi all,
>
>> I first saw the link to this article on the dc404 mailing list.  If
>you're an evernote user, you need to know about this.
>
>> http://www.theverge.com/2013/3/2/4056704/evernote-password-reset
>
>If you are an Evernote user, you need to change your password.  The
>attackers had access to user-id's and password hashes.  The passwords
>where hashed and salted but simple passwords are still subject to
>off-line brute force and rainbow table attacks.  Change your password
>to
>a good, high complexity, password or passphrase.
>

Do you think a 15 character random alphanumeric generated by Lastpass is good enough?  Or, should you go longer if the site will let you?

>MOST IMPORTANT!  This is NOT mentioned in the article quoted, but... 
>If
>you used the same user id (E-Mail address) or similar and the same
>password on other sites, change all of them and use different passwords
>on each.  It is not uncommon for someone to use the same password and
>id
>on different sites.  It is equally not uncommon for attackers to KNOW
>THIS and, once they break your password on one site, to use a common,
>broken, password to attack other sites.  That includes sites with other
>common variations on your user id.
>

I've known this for some time, but only recently went to the trouble to do it, after Linkedin had their break in.  I'm now using Lastpass, which is a good way to keep track of many different passwords for different sites.  (I know there are other solutions too.)  It was a major pain to go to every site I had and go through the password change procedure, especially because, for the ones that were already different, I had to look them up.  However, every one is now different and random.  Every time I generate a new password for a new site, or change one on an old site, I let Lastpass handle it.  The password vault is secured by a master password that you don't give out online.  If anyone is interested, I can post my recommended settings for Lastpass preferences.  You can use the service for free on PC's, but have to pay a modest fee for Premium service to use on mobile devices.  I pay the fee, and am glad to support their continued development.

>> Sincerely,
>
>> Ron
>
>Regards,
>Mike
>
>
>-- 
>Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>/\/\|=mhw=|\/\/          | (678) 463-0932 | 
>http://www.wittsend.com/mhw/
>NIC whois: MHW9          | An optimist believes we live in the best of
>all
>PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of
>it!
>
>
>

--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity if I'm typing on the touch screen.

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com

More information about the Ale mailing list