Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Evernote hack shows that passwords aren't good enough

Tony Bradley | March 6, 2013
Evernote revealed over the weekend that it was the victim of a data breach, emailing users and posting a notice on its Web site that attackers had gained access to usernames, email addresses, and encrypted passwords associated with Evernote accounts. As a precaution, Evernote forced all 50 million users to reset their passwords. That's a good step, but it's not really not good enough--so Evernote is accelerating its plan to roll out two-factor authentication.

Moving to multi-factor authentication

With that in mind, Evernote is joining Facebook, Dropbox, Microsoft SkyDrive, PayPal, Gmail, and a growing list of online service providers by adopting two-factor authentication.

Multi-factor authentication provides an extra layer of protection to safeguard your data. Phone-based authentication, for instance, can dramatically boost security. You've probably encountered a prompt for phone-based authentication when you try to log on to a bank's website from a device you don't normally use.

With phone-based authentication, a random or one-time code is sent to a mobile phone, and must be entered in addition to the standard username and password. Some solutions use a mobile app to generate a one-time PIN. Either way, in order for an attacker to access the account they'd have to both crack your password and be in possession of your mobile phone.

There are many other options aside from phone-based authentication, such as access tokens, smartcards and email verification. The exact method varies widely. No matter the implementation, two-factor authentication provides an extra layer of protection, and Evernote should be commended for offering it.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.