Evernote's Security Breach Leads to Leaked Passwords
Another day, another security breach. Following in the footsteps of popular hacked services Dropbox, Twitter, and LinkedIn, software and service vendor Evernote announced this March that it had suffered a data breach and suspected that usernames, email addresses, and encrypted passwords had been stolen.
Citing the decision to take an “abundance of caution” and not waiting to identify which usernames may or may not have been stolen, Evernote emailed all of its 50 million users about a required password reset.
Evernote released a flurry of updates in the days following the breach but also advised users to take security into their own hands. The email advised: “Avoid using simple passwords based on dictionary words,” “Never use the same password on multiple sites or services,” and “Never click on ‘reset password’ requests in emails—instead go directly to the service.”
Breaches are fast becoming yawn-inducing commonalities in our modern digital world. The Internet is rife with hash lists dumped from compromised databases. Using GPUs and FPGAs, hackers have used such lists to get better at cracking passwords over the last few years than users have become better at creating secure ones.
Users are known to create weak passwords, typically only using lower case letters (no uppercase, digits, or special characters) unless forced to do so. The average user has 6.5 passwords for approximately twenty-five accounts, sharing each password across 3.9 different sites.
Evernote’s advice to not use the same password on multiple sites is exactly right. Sharing passwords across sites means that if one site gets breached, the user’s password might be compromised on the other sites as well.
Length matters, too. While it takes hours to crack a five-character password, increasing the length by one character stretches the time to a day. An Amazon EC2 cloud system that combines the horsepower of 1,000 individual GPUs can enable crackers to brute-force an eight-character password in ten days.
70 percent of the 32 million passwords exposed when RockYou.com was hacked in 2009 contained eight characters or less, and only 14 million of the passwords were actually unique.
Additionally, many passwords use common character combinations and proper grammatical phrases like “trustno1” or “iambetterthansheis.” Using proper grammar in a password makes it easier for password cracking software outfitted with grammar knowledge to solve.
Yet creating and remembering long, complex, unique, and non-grammatically correct passwords for every site a user visits is just about impossible. One measure to make passwords hard to crack might be to bypass human contribution as much as possible.
Apps like 1Password, LastPass, and PasswordSafe allow users to create long, randomly generated passwords that are stored in a cryptographically protected file that can be unlocked with a single master password. No password is completely uncrackable, but this maneuver would make the effort harder.
Since users stand to lose a lot if their accounts are hacked, anything they can do to make the wall a little taller would likely be worth considering.