Online note-syncing service Evernote is forcing all of its 50 million users to reset their passwords after detecting suspicious activity on its network.
In an email message sent to users today and posted on its blog, Evernote said digital intruders gained accessed to customer usernames, email addresses and encrypted passwords. The company says it has found no evidence that any of the content that users store in Evernote was accessed, changed or lost, and that there is no indication payment information for Evernote Premium or Business customers was accessed.
“Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted),” the company advised. “While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.”
If you use Evernote (heck, even if you don’t), now is a great time to review your password practices. At the top of the password no-no’s list is reusing your email password at any other site. Also, while password hashing and salting can be effective at preventing attackers from working out your password should a company that stores that information get breached, it is far from solid protection. Evernote didn’t say which scheme it was using to hash passwords, but the industry standard is a fairly weak approach in which a majority of passwords can be cracked in the blink of an eye with today’s off-the-shelf hardware.
See this widely-read interview for more information on the ease with which most hashed passwords can be cracked today and what organizations might do differently to better secure their users’ information. This post has some tips on how to pick a strong password (e.g., some of the strongest passwords aren’t words at all but multi-word phrases). Finally, if you receive an email with a link in it telling you to click a link to reset your Evernote password — or any other password assigned to an online service you use — don’t click: Visit the site manually instead to avoid email phishing schemes.