Evernote Double-Times Two-Factor Authentication Deployment

Evernote is speeding up the deployment of the two-factor authentication deployment due to their recent breach.

More developments on the Evernote front… Apparently they were already planning on deploying two-factor authentication as many have suggested. The latest breach is just going to speed up the deployment process. As mentioned previously, Evernote reported that attackers were able to access usernames, email addresses, and salted password hashes. Later reports pegged the weaker MD5 as the hashing algorithm instead of something more secure like SHA-1 or 2. Best practice the last few years however has been pushing for true password-based key derivation functions such as PBKDF2, SCrypt, or BCrypt but companies continue to lag behind due to implementation difficulties. And of course there are still considerations with these functions due to the potential tradeoff between bruteforce and denial-of-service protection.

via InformationWeek.com

Evernote, after suffering a data breach that caused the company to reset passwords for all of its 50 million users, announced that it plans to adopt two-factor authentication as quickly as possible.

“We were already planning to roll out optional two-factor authentication to all of our users later this year,” said Evernote spokeswoman Ronda Scott via email. “We are accelerating those plans now.”

Evernote warned all users Sunday via email that the company had suffered a security breach, after the company’s operations and security team “discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.”

Continued here.

#####

Were you affected by the Evernote breach? Post your comments below. Today’s post pic is from GettyIcons.com.

3 comments for “Evernote Double-Times Two-Factor Authentication Deployment

  1. March 6, 2013 at 12:39 am

    #NOVABLOGGER: Evernote Double-Times Two-Factor Authentication Deployment http://t.co/6507QwqH1S http://t.co/4cWAQA6J22

  2. March 6, 2013 at 2:52 am

    Evernote fremskynder planer om two-factor autentisering https://t.co/Pha0398Zn4

  3. Ben
    March 7, 2013 at 5:05 pm

    It’s a bit of a misnomer saying that MD5 is “less secure.” The same class of attacks also work against SHA-1, and overall they’re fairly impractical for brute-forcing purposes. It’s important to note that the hashes were salted (hopefully with a protected, random salt). As such, things like rainbow table attacks won’t be useful (barring the attacker having access to the salt, though this still requires regenerating the entire tables with the new hash).

    I’d be far more interested to learn how the compromise occurred…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.