Evernote revealed over the weekend that it was the victim of a data breach, emailing users and posting a notice on its Web site that attackers had gained access to usernames, email addresses, and encrypted passwords associated with Evernote accounts.
As a precaution, Evernote forced all 50 million users to reset their passwords. That's a good step, but it's not really not good enough--so Evernote is accelerating its plan to roll out two-factor authentication.
Evernote wasn't originally designed as a business service, at least until the December release of Evernote for Business. Evernote is primarily a note-taking and organizational tool similar to Microsoft's OneNote.
Evernote provides a range of services--including Evernote Food, Evernote Peek, Skitch, Penultimate and more--as Web-based tools or apps across a range of operating systems and mobile platforms. Its capability to access and sync data across a broad range of devices makes it appealing as a business tool.
By its nature, Evernote is a prime example of a service where you stash both personal and professional data. Like any cloud-based service, it comes with some inherent risk. Any time you place business data in the cloud--particularly sensitive information such as customer names or addresses, banking or financial details, or proprietary company research--you are trusting the vendor to protect it. The big caveat, though, is that you are still ultimately responsible for what happens to your data.
One password to rule them all?
Evernote claims that the password data captured by the attackers was encrypted, but it still made all users select new passwords, just in case. As respected security authority Brian Krebs notes in his blog post on the Evernote breach, the standard hashing and salting algorithms used by vendors to encrypt password data offers trivial protection that can be cracked with relative ease.
One solution would be to use stronger passwords or passphrases, and to ensure that you don't use the same password for more than one service. When you do, a data breach at one vendor can expose your password, which could then allow the attacker to access all of your accounts instead of limiting the damage to the one that was breached.
Of course, remembering tens or hundreds of passwords is a bit of a Herculean task--especially if you're using strong, complex passwords. My PCWorld peer John Mello suggests a few options for simplifying password management, such as OneID, KeePass, and RoboForm.
The real lesson of the Evernote hack, though, is that passwords don't offer very good protection for your data. Unique passwords that are complex offer better protection than using your dog's name or no password at all, but ultimately all passwords can be cracked or guessed, given enough time and effort.
Sign up for CIO Asia eNewsletters.